[Dnssec-deployment] DNSSEC aware recursive name servers

Matt Larson mlarson at verisign.com
Fri Aug 5 16:29:10 EDT 2011


On Fri, 05 Aug 2011, Patrik Fltstrm wrote:
> On 5 aug 2011, at 21.25, Matt Larson wrote:
> 
> > And what if I don't trust my recursive name server?
> 
> Run your recursive name server on the same box as the app, and trust the communication between them?

I tried that on my Mac and it lasted until the Nth trip I took to a
{hotel, coffee shop, etc.} that munged or filtered DNS traffic and
forced me to reconfigure my stub resolver on the fly after banging my
head for a few minutes trying to figure out what was wrong.

I don't think it's realistic to expect even a majority of end systems
to be able to perform iterative resolution (i.e., run a recursive name
server) as a means to access DNSSEC-authenticated data.

> I think we talk about two problems here:
> 
> 1. The signaling (more EDNS0 flags, like validation-required and validation-ok)
> 
> 2. Secure the trust of the signaling itself, i.e. communication path between stub and recursive resolver

Yes, for the use case of a trusted recursive name server.  But for an
untrusted recursive name server or for a non-clear path (whether the
recursive name server is trusted or untrusted), we need a way for the
end system to get the records it needs to perform its own validation.

Matt



More information about the Dnssec-deployment mailing list