[Dnssec-deployment] DNSSEC aware recursive name servers

Patrik Fältström paf at cisco.com
Sat Aug 6 02:15:14 EDT 2011


On 5 aug 2011, at 22.26, Matt Thompson wrote:

> On 8/5/11 2:38 PM, Patrik Fältström wrote:
>> 2. Secure the trust of the signaling itself, i.e. communication path between stub and recursive resolver Patrik 
> This has been on the back burner for me for a while, but I propose something like the attached.
> 
> I have had this working in code.

So, you bootstrap security by relying on X.509 CA's? Same set of CAs that we use for SSL certs (for example)? That does not sound to be very reliable...

But, I think there can be many different ways of securing this path. One can be to run the resolver on 127.0.0.1, another to use TSIG and always communicate with the same resolver (that I trust).

Etc...

We have plenty of room for invention here.

   Patrik



More information about the Dnssec-deployment mailing list