[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)

Miek Gieben miek at miek.nl
Wed Dec 15 12:14:43 UTC 2010


[ Quoting Paul Wouters in "Re: [ldns-users] function call back"... ]
> [somewhat stealing this thread, apologies]
>
> This reminds me of a design decision we have to make (but postponed). That is
> to add better DNSSEC support to Openswan. It currently supports the bind lwres{}
> interface, which requires running a local bind. It does not yet support/use the
> AD bit.

[SNIP]

> with over applications (eg firefox) doing something similar by validating data in
> the same zone with the same DNSKEY's, for instance when firefox would support the
> new DANE draft: https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1
> 
> Advise? Thoughts?

my 0.02 eur

My current view is the following. I think we should seperate the two
processes:
o normal (plain DNS) resolving
o DNSSEC validation

So any app. just uses the DNS as it always has done and displays that
information (a dns packet, a webpage, whatever) to the user.  When
security is needed, extra lookups are performed and the crypto is
checked. And when this dane-protocol works you can check that too.

With this info you can then create a colored lock symbol.

So the way forward would be to use libunbound IMHO and create
only two functions:

o is_this_secure(DNSKEY record), gives back yes/no, checks the chain
o is_this_secure_dane(SSL cert), gives back yes/no, uses the dane protocol

And create a fancy gui library for colored images of locks.

grtz,

--
 Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20101215/54fcb507/attachment.bin>


More information about the ldns-users mailing list