Thanks Evan for answering my questions. I will look more into getdns-api or libunbund library for the client side resolve.
Rgds Simon On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt <e...@isc.org> wrote: > On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > > 1. Assume if I use an external recursive resolver and if that resolver > does > > not support DNSSEC, how can I validate the signature? > > Depends what you mean by supporting DNSSEC; see below. > > > 2. If I use an external resolver and if a hacker sits in between my > > system and the external resolver, will it detect ? > > That's exactly what DNSSEC is for. If someone alters the answer, > the signatures won't validate. > > > 3. When the external resolver resolve a query and when it response back > to > > the client, will it strip off the signatures? I assume the validation is > > already done at the recursive resolver. > > The resolver doesn't have to do DNSSEC validation itself (though of course > it's a good idea). It just needs to pass along signatures on request. If > you're using a resolver that doesn't do that... well, use a different one. > > You can run a resolver as a separate local process, listening on the > localhost address. This ensures you have the resolver features you need > and also makes it quite a lot harder to mount a man-in-the-middle attack. > > > 4. Can I integrate dnsmasq option with my client application? Any > reference. > > If you need it to be built in to your application, I'm not sure. Warren's > suggestion of using getdns-api was a better idea anyway. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
