[dns-operations] More DNSSEC validators to expect

Paul Wouters paul at nohats.ca
Thu May 26 13:37:11 UTC 2016

On Tue, 24 May 2016, Jan Včelak wrote:

>>> New version of Linux' systemd has DNSEC validation enabled by default:
>>> http://news.softpedia.com/news/systemd-230-launches-with-dnssec-enabled-by-default-in-systemd-resolved-more-504339.shtml
>> Which sends out all application queries over all interfaces to all
>> DNS servers, and uses the first answer that comes back irrespective of
>> DNSSEC status.
> Let's call it "Opportunistic DNSSEC".

But that's a problem. The design favours the local attacker. So it is
more like "security when not under attack". Applications have no way
of saying "I need a secure answer for this".

Since we are bootstrapping opportunistic security _using_ DNSSEC, you
can't just relay unprotected DNS answers from random sources for what
are really signed zones. That's really breaking the API contract of
the DO/AD bits.


More information about the dns-operations mailing list