On Thu, 13 Oct 2011, Tomas Mraz wrote:
>
>> And if this malicious DNS administrator controls the caching
>> nameserver you're using for DNS queries, he can present you ANY data
>> even 'valid' fake DNSSEC data.
>
> This is not generally true. Resolver libraries can (and should, IMHO)
> verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless,
> because it is precisely when you are stuck behind an untrusted Wifi
> gateway that you need DNSSEC the most.
Yes, they can and should. But they don't.
We're testing
ftp://ftp.xelerance.com/dnssec-trigger/ and I hope it can
get integrated into Fedora.
It means running dnssec aware resolvers on the endnode, with as much use
as possible od dhcp obtained dns server caches.
Paul