[dns-operations] DNSCrypt.

Warren Kumari warren at kumari.net
Fri May 31 17:42:51 UTC 2013


On May 31, 2013, at 11:38 AM, Joe Abley <jabley at hopcount.ca> wrote:

> 
> On 2013-05-31, at 11:24, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
> 
>> There's no crypto anything inherent in DNS today, heh.
> 
> Well, apart from the use of TSIG to authenticate zone transfers.
> 
> As I mentioned obliquely, I haven't heard of any widespread use of TSIG or SIG(0) to authenticate the channel between a stub resolver and a recursive resolver, but I'd hesitate to deny that there's any deployment without thinking of what numbers could possibly back up that claim.

From everything that I can tell, this is no deployment of .SIG between stub and recursive -- this is based upon the fact that I'd really *like* to be able to do this, and have spent some time looking into how, but no-one seems to know how to actually configure something to do this…

Running 'strings' on recover libraries *seems* to make it appear that the code exists, and asking folk who should know elicits "Oh, yeah, you add, um, something to /etc/resolve.conf… I think it is called 'tsig-ke..' um, no, it's 'key-tai…' um, yeah, I *think* this is doable, but I cannot remember at the moment *how*. I'll get back to you…"

Yes, I realize I could just go actually go read the source, spend some cycles looking at lwres, etc, but I'd rather simply kvetch [0]

W

[0]: AKA, it hasn't risen to the top of my annoyance pile yet...

> 
> 
> Joe
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

--
"I think perhaps the most important problem is that we are trying to understand the fundamental workings of the universe via a language devised for telling one another when the best fruit is." --Terry Prachett 





More information about the dns-operations mailing list