[Unbound-users] Insisting on DNSSEC

Rick van Rein rick at openfortress.nl
Mon Jan 13 22:51:37 CET 2014


>> I’d like to trust the signed portion of DNS, and build security systems on top of that.  So the _old_ DNS isn’t the right thing for the applications I have in mind.
> Could you expand a bit on the kind of applications you have in mind?

Anything that bases security on DNS info, really; just a few that spring to mind:
- public key info such as TLSA and CERT records
- in some cases, perhaps, references to services (to avoid MITM scenarios based on DNS)
- Kerberos currently mistrusts DNS for non-configured domain lookups, and must therefore be configured manually, which is a shame if DNSSEC can help

DNSSEC offers an opportunity to secure DNS; the current assumption is that the provider of the information chooses whether or not to secure it; but in some cases the user of the information wants to be able to constrain the information to be trusted to only information that is certainly correct.


More information about the Unbound-users mailing list