Paul Wouters: > I'm currently aware of two (non-dns utilities) applications that make > security decisions based on "blindly" trusting the AD bit: ssh with > VerifyHostKeyDNS=yes|ask and Postfix. opendkim could be linked with libunbound too to mark a dkim key fetched for validation as "secured" or "nonsecured"
> libreswan and strongswan are examples of applications that use libunbound > for in-application DNSSEC validation to avoid needing to trust > /etc/resolv.conf DNS servers for the AD bit. opendkim too... Upon validation DKIM public keys are fetched freom DNS and the validation result is part of the Authentication-Results header. But there is no further policy decision made. > 4 In the ideal world tomorrow, each host has its own automatically > configured, perfectly working validing DNS server and resolv.conf can > be ignored or is always hardcoded with nameserver 127.0.0.1 Oh, I'm near your ideal world since years :-) $ cat /etc/resolv.conf nameserver ::1 Andreas _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
