VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Paul Wouters
paul at xelerance.com
Thu Oct 13 14:21:24 UTC 2011
On Thu, 13 Oct 2011, Tomas Mraz wrote:
>>
>>> And if this malicious DNS administrator controls the caching
>>> nameserver you're using for DNS queries, he can present you ANY data
>>> even 'valid' fake DNSSEC data.
>>
>> This is not generally true. Resolver libraries can (and should, IMHO)
>> verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless,
>> because it is precisely when you are stuck behind an untrusted Wifi
>> gateway that you need DNSSEC the most.
> Yes, they can and should. But they don't.
We're testing ftp://ftp.xelerance.com/dnssec-trigger/ and I hope it can
get integrated into Fedora.
It means running dnssec aware resolvers on the endnode, with as much use
as possible od dhcp obtained dns server caches.
Paul
More information about the devel
mailing list