The worst thing about the exploit -- Have you done your part?
Alan Clegg
Alan_Clegg at isc.org
Tue Jul 29 17:00:57 UTC 2008
> So what about all other apps that use DNS?
> Don't they have to be 'fixed' too?
> Should the application refuse to work if it encounters a bad DNSSEC signature?
> (Any guesses as to when Bind 9.6 will appear?)
If you trust your upstream resolver to do the validation for you, then
all applications that use DNS are now secured by DNSSEC. If you don't
trust your upstream, then your application needs to become aware of DNSSEC.
I run a validating resolver on my laptop so I am able to trust my
"upstream" and therefore am not concerned about DNSSEC aware applications.
Data returned regarding any zones that are in the same DLV registry that
I am using is guaranteed to be legit.
AlanC
More information about the bind-users
mailing list