[dns-operations] DNSSEC validation and crypto on hand-held devices

Jim Reid jim at rfc1035.com
Mon Jul 23 09:45:39 UTC 2012

On 23 Jul 2012, at 10:02, Jan-Piet Mens wrote:

>> It is more complicated, specially with DNSSEC validation. Did anyone
>> try running that on his Android?
> SIDN Labs experimented with LDNS on iOS and got libUnbound working
> with validation. [1]

There's a world of difference between getting something to work and  
having something that's actually usable.

Once upon a time, Telnic (the home of encrypted NAPTR records) put  
crypto into a prototype of its Symbian app. This was in the days  
before Android or even apps. The very clueful contractor used the  
Bouncy Castle Java code because it had a small enough footprint for  
the hardware and phone OS of the time. [OpenSSL was just too chubby.]  
The code worked just fine. However it took tens of seconds to decrypt  
the NAPTRs: clearly unworkable. Crypto code in Java on puny hardware  
is painfully slow.

Even though the hand-held environment has moved on since then, I think  
we'll still hit that wall unless someone inverts GHz-speed processors  
which won't chew mobile-phone size batteries. FWIW, most mobile phones  
have crypto hardware in them to do A5 which is required for GSM and  
3/4G. ISTR it's built into the phone's comms CPU. However it's not  
possible to get to that from the phone OS internals or its API. If  
that was to change however...

IMO, DNSSEC validation in something like an Android handset will be  
like watching an elephant ballet-dance: it can be done but the results  
will be ugly. So the resolvers on these things will almost certainly  
use a secure path to a trusted validating resolver.

PS: Apologies for providing a meaningful and relevant Subject:  
header. :-)

More information about the dns-operations mailing list