Preview of data before security is established
Rick van Rein
rick at openfortress.nl
Fri May 27 11:30:56 CEST 2016
Is there any way for an asynchronous program to get a preview of DNS
data that is in the process of being validated?
For instance, we sometimes need to go over these three records in a
_kerberos.arpa2.org. IN TXT "ARPA2.ORG"
_kerberos._udp.arpa2.org. IN SRV 10 10 88 ...
_88._udp.arpa2.org. IN TLSA ...
...and could imagine speeding up this enforced sequence by using the
insecure data as a hint, and later mop up all the security status of the
three components (before acting on it externally).
FWIW, I sent a similar question to the GetDNS users list, with more
elaborate information on this use case; we use this for Kerberos realm
crossover. The last two steps also need to be sequentially ordered for
DANE when we access a remote LDAP directory from our TLS Pool. The
_kerberos TXT record is described in draft-vanrein-dnstxt-krb1 which
currently sits in the RFC editor queue.
More information about the Unbound-users