[Dnssec-deployment] Fetching the RRSIGs can be a problem too.
Mark Andrews
marka at isc.org
Thu Sep 1 20:13:48 EDT 2011
In message <CACU5sDkhuCSHBq4OGLYn2NeGJJ_MzUmnuXSXP_yawqWkDL3iSA at mail.gmail.com>,
Mohan Parthasarathy writes:
> --bcaec5215c0307a3a004abe77ed3
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Thu, Sep 1, 2011 at 1:07 PM, Paul Vixie <vixie at isc.org> wrote:
>
> > > Date: Thu, 1 Sep 2011 09:17:03 -0700
> > > From: Mohan Parthasarathy <suruti94 at gmail.com>
> > >
> > > Do you have a clear path today ? If not, do you know when we are going
> > > to have that clear path ? Coming across a broken CPE box is not that
> > > uncommon. I was trying to see if there is a simple way to workaround
> > > it at least in some cases.
> >
> > i don't think you're going to get there with "forwarders". it's going
> > to take a fair bit of work to make dnssec validation work across the
> > common case of "broken CPE". i'm thinking dns-over-https as a service,
> > used as a proxy when the hotel's broken middlebox gets in the way.
> >
> > Who would be operating this service ? So, it is a recursive server talking
> https on one
> side and DNS on the other side ? Why should I trust this service ?
Because the data is self authenticating provided you get it all
back. DNSSEC is designed to work where you don't trust intermediate
boxes.
Just the other day I was sitting in a hotel with "transparent"
intercepting DNS cache. This was not a issue for DNSSEC validation
because it was DNSSEC aware and returned the records which allowed
me to validate the responses. The only thing I need to tweak was
to set RD=1 on all queries or else the "transparent" intercepting
DNS cache wouldn't recurse for me.
Mark
> regards
> mohan
>
>
> > background on this can be found below -- noting that validation is a
> > "dnssec application" in this context:
> >
> > http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/
> >
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list