Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (m...@kenweb.org): > On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote: > > No, because DNSSEC isn't secured all the way from the DNS server to the > > application, only to the resolver. Both systems have problems, I'd > > imagine the best security is when they work together. > > > > Is a DNSSEC capable stub resolver not in the cards?
The best option today is to run a full-service resolver on the host; which is a tad heavy for most desktops, not to speak about the cache misses that would cause root server system load. The latter of course can be avoided by setting forwarders. OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND suite. Calling it from applications does however mean using new API calls; since the traditional resolver API is oblivious to DNSSEC. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What PROGRAM are they watching?
pgpJ6qsHvpwVd.pgp
Description: PGP signature
