[dns-operations] More DNSSEC validators to expect
paul at nohats.ca
Thu May 26 13:37:11 UTC 2016
On Tue, 24 May 2016, Jan Včelak wrote:
>>> New version of Linux' systemd has DNSEC validation enabled by default:
>> Which sends out all application queries over all interfaces to all
>> DNS servers, and uses the first answer that comes back irrespective of
>> DNSSEC status.
> Let's call it "Opportunistic DNSSEC".
But that's a problem. The design favours the local attacker. So it is
more like "security when not under attack". Applications have no way
of saying "I need a secure answer for this".
Since we are bootstrapping opportunistic security _using_ DNSSEC, you
can't just relay unprotected DNS answers from random sources for what
are really signed zones. That's really breaking the API contract of
the DO/AD bits.
More information about the dns-operations