[dns-operations] More DNSSEC validators to expect
Paul Wouters
paul at nohats.ca
Thu May 26 13:37:11 UTC 2016
On Tue, 24 May 2016, Jan Včelak wrote:
>>> New version of Linux' systemd has DNSEC validation enabled by default:
>>>
>>> http://news.softpedia.com/news/systemd-230-launches-with-dnssec-enabled-by-default-in-systemd-resolved-more-504339.shtml
>>
>> Which sends out all application queries over all interfaces to all
>> DNS servers, and uses the first answer that comes back irrespective of
>> DNSSEC status.
>
> Let's call it "Opportunistic DNSSEC".
But that's a problem. The design favours the local attacker. So it is
more like "security when not under attack". Applications have no way
of saying "I need a secure answer for this".
Since we are bootstrapping opportunistic security _using_ DNSSEC, you
can't just relay unprotected DNS answers from random sources for what
are really signed zones. That's really breaking the API contract of
the DO/AD bits.
Paul
More information about the dns-operations
mailing list