[dns-operations] DNSSEC validation and crypto on hand-held devices
Jim Reid
jim at rfc1035.com
Mon Jul 23 09:45:39 UTC 2012
On 23 Jul 2012, at 10:02, Jan-Piet Mens wrote:
>> It is more complicated, specially with DNSSEC validation. Did anyone
>> try running that on his Android?
>
> SIDN Labs experimented with LDNS on iOS and got libUnbound working
> with validation. [1]
There's a world of difference between getting something to work and
having something that's actually usable.
Once upon a time, Telnic (the home of encrypted NAPTR records) put
crypto into a prototype of its Symbian app. This was in the days
before Android or even apps. The very clueful contractor used the
Bouncy Castle Java code because it had a small enough footprint for
the hardware and phone OS of the time. [OpenSSL was just too chubby.]
The code worked just fine. However it took tens of seconds to decrypt
the NAPTRs: clearly unworkable. Crypto code in Java on puny hardware
is painfully slow.
Even though the hand-held environment has moved on since then, I think
we'll still hit that wall unless someone inverts GHz-speed processors
which won't chew mobile-phone size batteries. FWIW, most mobile phones
have crypto hardware in them to do A5 which is required for GSM and
3/4G. ISTR it's built into the phone's comms CPU. However it's not
possible to get to that from the phone OS internals or its API. If
that was to change however...
IMO, DNSSEC validation in something like an Android handset will be
like watching an elephant ballet-dance: it can be done but the results
will be ugly. So the resolvers on these things will almost certainly
use a secure path to a trusted validating resolver.
PS: Apologies for providing a meaningful and relevant Subject:
header. :-)
More information about the dns-operations
mailing list