On 05/07/2012 19:09, Mark Felder wrote: > On Thu, 05 Jul 2012 11:05:42 -0500, Damien Fleuriot <[email protected]> wrote: > >> Using a third-party's name servers is not an option > > And how can you trust that your port 53 TCP/UDP traffic isn't being > redirected and you're talking to the real root servers? I think you're > being a bit too paranoid...
DNSSEC. That's how.
Well, it doesn't stop your traffic being redirected, but it does
guarantee that the data you receive is authentic.
The tricky bit is ensuring that your queries don't get redirected
between the stub-resolver built into libc, and whatever trusted
recursive resolver does the DNSSEC validation for you. AFAIK, no
operating system has a stub resolver the capability to validate DNSSEC.
But that would be a really excellent enhancement if it was feasible.
Cheers,
Matthew
PS. "Too paranoid?" That's impossible.
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: [email protected] Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
