[Dnssec-deployment] Curious about dnssec at the client level.
Olaf Kolkman
olaf at NLnetLabs.nl
Tue Dec 13 09:50:04 EST 2011
On Dec 9, 2011, at 11:29 PM, Robert Edmonds wrote:
>> On Fri, Dec 09, 2011 at 04:39:25PM -0500, Robert Edmonds wrote:
>>> i wrote a validating stub resolver plugin for glibc:
>>>
>>> https://github.com/edmonds/nss-ubdns
>>>
>>> it interfaces between the system's name service switch and libunbound so
>>> that validation occurs inside the process that calls gethostbyname(),
>>> getaddrinfo(), etc. not sure if that counts as a "clever hack".
>>
>> Hey, that is pretty cool! Do you always get the data you need to do full
>> validation just going through a resolver?
>
> yes, it's configured to only talk to the resolvers specified in
> /etc/resolv.conf. validation works great on my desktop (where i have a
> clear network path) if i've configured it to use a full recursive BIND
> or unbound server on my local network, or if i use an open recursive
> service like level3's. but validation fails with google and opendns's
> open recursive services. those services appear to be unable to locate
> DS records.
Combine with dnssec-trigger and as a roaming user you are in business.
(New release today: http://www.nlnetlabs.nl/projects/dnssec-trigger/)
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
http://www.nlnetlabs.nl/
More information about the Dnssec-deployment
mailing list