[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)
Miek Gieben
miek at miek.nl
Wed Dec 15 12:14:43 UTC 2010
[ Quoting Paul Wouters in "Re: [ldns-users] function call back"... ]
> [somewhat stealing this thread, apologies]
>
> This reminds me of a design decision we have to make (but postponed). That is
> to add better DNSSEC support to Openswan. It currently supports the bind lwres{}
> interface, which requires running a local bind. It does not yet support/use the
> AD bit.
[SNIP]
> with over applications (eg firefox) doing something similar by validating data in
> the same zone with the same DNSKEY's, for instance when firefox would support the
> new DANE draft: https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1
>
> Advise? Thoughts?
my 0.02 eur
My current view is the following. I think we should seperate the two
processes:
o normal (plain DNS) resolving
o DNSSEC validation
So any app. just uses the DNS as it always has done and displays that
information (a dns packet, a webpage, whatever) to the user. When
security is needed, extra lookups are performed and the crypto is
checked. And when this dane-protocol works you can check that too.
With this info you can then create a colored lock symbol.
So the way forward would be to use libunbound IMHO and create
only two functions:
o is_this_secure(DNSKEY record), gives back yes/no, checks the chain
o is_this_secure_dane(SSL cert), gives back yes/no, uses the dane protocol
And create a fancy gui library for colored images of locks.
grtz,
--
Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20101215/54fcb507/attachment.bin>
More information about the ldns-users
mailing list