[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)
Miek Gieben
miek at miek.nl
Wed Dec 15 21:15:54 UTC 2010
[ Quoting Paul Wouters in "Re: [ldns-users] DNSSEC (was Re: fu"... ]
> On Wed, 15 Dec 2010, Paul Wouters wrote:
>
> >>use the local resolver
> >>dont trust the local resolver
> >>do the validation yourself
> >
> >If you do validation yourself, I guess you also have to cache yourself?
>
> Additionally, you have to figure out where to put the trust anchors. If you
> can't trust the local resolver to validate, you can't trust it for its
> trust anchors either. Would openswan need an option to load trust anchors?
>
> Not sure I like the way this is going :P
Still not sure what advise I should give to openswan, but to give some
more background on why I'm advocating insecure loopups.
My gut feeling currently tells me (this could of course change of
time :-) ), that there is going to be a difference in "doing a lookup"
and "validating some info (most key-related data) from the DNS".
And the primary reason for this is feedback to the user - if all
the feedback you can give is SERVFAIL, people will turn off DNSSEC and
re-query. If your app. can *show* the data *and* tell it is not secure, you
mimic the current situation with ssl certificates (in browsers).
grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20101215/958b16c5/attachment.bin>
More information about the ldns-users
mailing list