[Unbound-users] Insisting on DNSSEC
Rick van Rein
rick at openfortress.nl
Mon Jan 13 21:51:37 UTC 2014
Hi,
>> I’d like to trust the signed portion of DNS, and build security systems on top of that. So the _old_ DNS isn’t the right thing for the applications I have in mind.
>
> Could you expand a bit on the kind of applications you have in mind?
Anything that bases security on DNS info, really; just a few that spring to mind:
- public key info such as TLSA and CERT records
- in some cases, perhaps, references to services (to avoid MITM scenarios based on DNS)
- Kerberos currently mistrusts DNS for non-configured domain lookups, and must therefore be configured manually, which is a shame if DNSSEC can help
DNSSEC offers an opportunity to secure DNS; the current assumption is that the provider of the information chooses whether or not to secure it; but in some cases the user of the information wants to be able to constrain the information to be trusted to only information that is certainly correct.
-Rick
More information about the Unbound-users
mailing list