[Unbound-users] Insisting on DNSSEC
Oliver Peter
lists at peter.de.com
Mon Jan 13 15:09:12 UTC 2014
On Sun, Jan 12, 2014 at 11:03:47AM +0100, Rick van Rein wrote:
> > If an application wants to insist on DNSSEC, they simple need to query
> > and check for the AD bit being set. It's not up to the resolver to
> > set application policy.
>
> Two reasons make this technically correct, but untractable:
>
> 1. The person wanting to enforce this policy may be a sysadmin, rather than a developer. He’d end up doing nasty things with firewalls and experience delay times.
>
> 2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.
Why does this scare you? If you don't trust the AD bit from your
DNSSEC validating resolver - why trust the response at all?
Perhaps DNS is not the right thing for your application.
> So I, ehm, insist, that this is a useful feature to add to Unbound ;-)
Unbound has been released unter the BSD license which means you are
free to svn checkout the sources and hack, hack, hack.
--
Oliver PETER oliver at gfuzz.de 0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140113/0bfd40ff/attachment.bin>
More information about the Unbound-users
mailing list