>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes: Jorge> I agree DNSSEC cannot be assumed, its deployments have been Jorge> marginal.
>> DNSSEC is *one* *public* trusted third party. It's not the only >> way to use DNS securely, it's just the easiest one to arrange >> between total strangers. Yoav> Yup, expect that the problem we're trying to solve here is not Yoav> that of total strangers. If the entities are in fact a group who has an internal trust anchor: a) if they want to use DNSSEC, it only matters they have DNSSEC deployed for the part of the reverse zone they use, and that they have a trusted anchor into that. b) a really simple way to get secure DNS data is to make every (gateway) machine a secondary for the zones in question. c) a second way is to simply point the /etc/resolv.conf and/or the DNS-forwarders to some *set* of internal servers, ideally authenticated with TSIG... OR, even do it over the single spoke to hub IPsec tunnel. Finally, if we are talking IPv4, then the internal IPs are likely RFC1918, and so one can't use the public DNS anyway, so you have to do either (b) or (c) ANYWAY. Again, this can all be done with existing protocols and existing software, which, on a Linux machine, you can do a yum install or apt-get install.
pgpfAHs1bQNwU.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec