[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)

Miek Gieben miek at miek.nl
Wed Dec 15 21:15:54 UTC 2010

[ Quoting Paul Wouters in "Re: [ldns-users] DNSSEC (was Re: fu"... ]
> On Wed, 15 Dec 2010, Paul Wouters wrote:
> >>use the local resolver
> >>dont trust the local resolver
> >>do the validation yourself
> >
> >If you do validation yourself, I guess you also have to cache yourself?
> Additionally, you have to figure out where to put the trust anchors. If you
> can't trust the local resolver to validate, you can't trust it for its
> trust anchors either. Would openswan need an option to load trust anchors?
> Not sure I like the way this is going :P

Still not sure what advise I should give to openswan, but to give some
more background on why I'm advocating insecure loopups.

My gut feeling currently tells me (this could of course change of
time :-) ), that there is going to be a difference in "doing a lookup"
and "validating some info (most key-related data) from the DNS".
And the primary reason for this is feedback to the user - if all
the feedback you can give is SERVFAIL, people will turn off DNSSEC and
re-query. If your app. can *show* the data *and* tell it is not secure, you
mimic the current situation with ssl certificates (in browsers).

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20101215/958b16c5/attachment.bin>

More information about the ldns-users mailing list