On Sun, Jan 23, 2011 at 08:06:09PM +0000, Kevin Chadwick wrote: > On Sat, 15 Jan 2011 06:28:51 -0500 > Josh Smith <juice...@gmail.com> wrote: > > <tounge in cheek flame> > > I've got to say I'm suprised the dns server in the base system of the > > worlds most secure OS is not able to validate dnssec responses > > </tounge in cheek flame> > > Actually there is much debate about how much security dnssec adds, > atleast currently. OpenSSL even, has had it's bugs. It is clear however > that it makes Denial Of Service attacks much easier. The tcp resolv.conf > option (quite possibly unique to OpenBSD) can already add much security > to your resolving too. I imagine DNSSEC has very little to do with the > unbound import.
The tcp option in resolv.conf might be reasonable for a single workstation but due to the protocol overhead not appropriate for larger networks / many clients. > I am certainly not saying don't use DNSSEC but you need to bear in mind > the consequences. DNSSEC was known to need revising when it was rolled > out, but I believe was implemented to give it many kicks in the > direction of getting it right as throwing millions of dollars at it, > wasn't ironing much out. > > Any axe murderer's out there? ;-) DNS looks trivial in the first place but it isn't. Please keep in mind that DNS is hidden in almost all common network services so you want to make and keep your DNS queries and responses as secure as possible.
