[Dnssec-deployment] Curious about dnssec at the client level.

Olaf Kolkman olaf at NLnetLabs.nl
Tue Dec 13 09:50:04 EST 2011


On Dec 9, 2011, at 11:29 PM, Robert Edmonds wrote:

>> On Fri, Dec 09, 2011 at 04:39:25PM -0500, Robert Edmonds wrote:
>>> i wrote a validating stub resolver plugin for glibc:
>>> 
>>>    https://github.com/edmonds/nss-ubdns
>>> 
>>> it interfaces between the system's name service switch and libunbound so
>>> that validation occurs inside the process that calls gethostbyname(),
>>> getaddrinfo(), etc.  not sure if that counts as a "clever hack".
>> 
>> Hey, that is pretty cool! Do you always get the data you need to do full
>> validation just going through a resolver? 
> 
> yes, it's configured to only talk to the resolvers specified in
> /etc/resolv.conf.  validation works great on my desktop (where i have a
> clear network path) if i've configured it to use a full recursive BIND
> or unbound server on my local network, or if i use an open recursive
> service like level3's.  but validation fails with google and opendns's
> open recursive services.  those services appear to be unable to locate
> DS records.

Combine with dnssec-trigger and as a roaming user you are in business.

(New release today: http://www.nlnetlabs.nl/projects/dnssec-trigger/)

--Olaf



________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
http://www.nlnetlabs.nl/











     



More information about the Dnssec-deployment mailing list