DNSSEC validation
Evan Hunt
each at isc.org
Tue Feb 13 23:00:24 UTC 2018
On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:
> 1. Assume if I use an external recursive resolver and if that resolver does
> not support DNSSEC, how can I validate the signature?
Depends what you mean by supporting DNSSEC; see below.
> 2. If I use an external resolver and if a hacker sits in between my
> system and the external resolver, will it detect ?
That's exactly what DNSSEC is for. If someone alters the answer,
the signatures won't validate.
> 3. When the external resolver resolve a query and when it response back to
> the client, will it strip off the signatures? I assume the validation is
> already done at the recursive resolver.
The resolver doesn't have to do DNSSEC validation itself (though of course
it's a good idea). It just needs to pass along signatures on request. If
you're using a resolver that doesn't do that... well, use a different one.
You can run a resolver as a separate local process, listening on the
localhost address. This ensures you have the resolver features you need
and also makes it quite a lot harder to mount a man-in-the-middle attack.
> 4. Can I integrate dnsmasq option with my client application? Any reference.
If you need it to be built in to your application, I'm not sure. Warren's
suggestion of using getdns-api was a better idea anyway.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list