[dns-operations] DNSSEC validation and crypto on hand-held devices

Warren Kumari warren at kumari.net
Tue Jul 24 15:31:54 UTC 2012

On Jul 23, 2012, at 8:33 AM, Paul Wouters wrote:

> On Mon, 23 Jul 2012, Jim Reid wrote:
>> IMO, DNSSEC validation in something like an Android handset will be like watching an elephant ballet-dance: it can be done but the results will be ugly. So the resolvers on these things will almost certainly use a secure path to a trusted validating resolver.
> You realise you are talking about a hand held device that plays 1136x640
> full motion graphics and runs IPsec VPNS and TLS without problems?
> I'm pretty sure any DNSSEC is latency bound on 3G, not CPU bound.
> unbound with prefetching will be a very robust and fast solution that I
> bet works pretty much transparently (if it has dnssec-trigger to work
> around bad networks)

See also Olafur Gudmundsson's presentation at the DNSSEC workshop at ICANN44 -- "Challenges of Putting the Resolving Validator in a Constrained Environment" http://prague44.icann.org/meetings/prague2012/presentation-dnssec-without-humans-27jun12-en.pdf
 "Is a $70 router fast enough for DNSSEC?" -- https://www.dnssec-deployment.org/index.php/2012/03/is-a-70-router-fast-enough-for-dnssec/

These are both about doing validation on small, crappy CPE, with much smaller processors than Android handsets / tablets…

> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

American Non-Sequitur Society; 
we don't make sense, but we do like pizza!

More information about the dns-operations mailing list