Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Mon Jan 13 22:51:37 CET 2014


>> I’d like to trust the signed portion of DNS, and build security systems on top of that.  So the _old_ DNS isn’t the right thing for the applications I have in mind.
> Could you expand a bit on the kind of applications you have in mind?

Anything that bases security on DNS info, really; just a few that spring to mind:
- public key info such as TLSA and CERT records
- in some cases, perhaps, references to services (to avoid MITM scenarios based on DNS)
- Kerberos currently mistrusts DNS for non-configured domain lookups, and must therefore be configured manually, which is a shame if DNSSEC can help

DNSSEC offers an opportunity to secure DNS; the current assumption is that the provider of the information chooses whether or not to secure it; but in some cases the user of the information wants to be able to constrain the information to be trusted to only information that is certainly correct.