On Sat, 15 Jan 2011 06:28:51 -0500 Josh Smith <juice...@gmail.com> wrote:
> <tounge in cheek flame> > I've got to say I'm suprised the dns server in the base system of the > worlds most secure OS is not able to validate dnssec responses > </tounge in cheek flame> Actually there is much debate about how much security dnssec adds, atleast currently. OpenSSL even, has had it's bugs. It is clear however that it makes Denial Of Service attacks much easier. The tcp resolv.conf option (quite possibly unique to OpenBSD) can already add much security to your resolving too. I imagine DNSSEC has very little to do with the unbound import. I am certainly not saying don't use DNSSEC but you need to bear in mind the consequences. DNSSEC was known to need revising when it was rolled out, but I believe was implemented to give it many kicks in the direction of getting it right as throwing millions of dollars at it, wasn't ironing much out. Any axe murderer's out there? ;-)