[dns-operations] Kaminsky: Protect IP Act Would Break DNS
Olaf Kolkman
olaf at NLnetLabs.nl
Mon Jul 18 15:02:41 UTC 2011
On Jul 17, 2011, at 2:08 PM, Joe Greco wrote:
>> [Authoritative DNS servers operator hat on.]
>>
>> On Sat, Jul 16, 2011 at 07:29:24AM -0500,
>> Joe Greco <jgreco at ns.sol.net> wrote
>> a message of 74 lines which said:
>>
>>> Also, in the past decade, what was once considered a heavy duty
>>> server is now available in the form factor of my cell phone. The
>>> resources to do resolution locally exist.
>>
>> The hardware resources. For the software, there are still a few
>> improvments to make. For instance, to have a local resolver on your
>> Ubuntu box, you need to:
>>
>> * install the server ('aptitude install unbound')
>> * edit the DHCP config so ::1 is put before the DHCP-learned servers
>> * work around the brokenness of middleboxes
>>
>> The first two point are not a big deal for a dns-operations subscriber
>> but still too complicated for the average user.
>
> That's probably not the most likely point at which to tackle the
> issue, due to choices made years ago by Microsoft, etc. Since your
> average consumer doesn't use Ubuntu, you might as well discuss the
> difficulty of setting up a local resolver on a Sun workstation.
First a shameless plug:
http://www.unbound.net/documentation/unbound-windows-manual-01.pdf
>
> Let's talk real world.
Note that the shameless plug was above that statement.
> Let's talk your next door neighbor's network. That's a Windows XP box, a Mac, some wifi, and random other devices
> on a DHCP network hanging off a D-Link router. The obvious place for
> this sort of thing to start out is at the D-Link router; it offers a
> single point at which a resolver can be installed for this "site" with
> minimal hassle, and a bonus that the configuration of the rest of the
> network is automagic.
>
The CPE would be a good place, although I believe that in the end the DNSSEC validation needs to be very close to the application. Preferably on the same device.
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
http://www.nlnetlabs.nl/
More information about the dns-operations
mailing list