From owner-freebsd-hackers@FreeBSD.ORG  Thu Jul  5 18:51:29 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 77F8E106564A
	for <freebsd-hackers@freebsd.org>; Thu,  5 Jul 2012 18:51:29 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id EEFAD8FC0C
	for <freebsd-hackers@freebsd.org>; Thu,  5 Jul 2012 18:51:28 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	q65IpPLJ078815
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-hackers@freebsd.org>; Thu, 5 Jul 2012 19:51:25 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q65IpPLJ078815
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1341514285;
	bh=BAA4O/HNVJE1KoL9Z3Qlu+bRvz+7JmsO41fBQYhtiDo=;
	h=Date:From:To:Subject:References:In-Reply-To:Cc:Content-Type:
	Message-ID:Mime-Version;
	b=MPkG9ds/Hv8uKCei1jSDYe//Yb3/rC7abPaTMazBQYSAreQ7Su+VHFcjW8R9qPJFD
	533QQ5sZCv5gen8Hmy7Nx7SLjZRP/N/BPS1JKOOH0tRh3oP0TtKFt9AsnoTiEsy1Yh
	F5v24YzvL/nD3W+egDdPPPmkomuRKbqXqAbEMpSg=
Message-ID: <4FF5E22D.9000007@infracaninophile.co.uk>
Date: Thu, 05 Jul 2012 19:51:25 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: freebsd-hackers@freebsd.org
References: <CA+QLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com>
	<4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no>
	<op.wgvhfja234t2sn@tech304> <4FF5BB56.10100@my.gd>
	<op.wgzjeotz34t2sn@localhost>
In-Reply-To: <op.wgzjeotz34t2sn@localhost>
X-Enigmail-Version: 1.4.2
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig62B49468B54697CF6E038AD3"
X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: Pull in upstream before 9.1 code freeze?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 18:51:29 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig62B49468B54697CF6E038AD3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 05/07/2012 19:09, Mark Felder wrote:
> On Thu, 05 Jul 2012 11:05:42 -0500, Damien Fleuriot <ml@my.gd> wrote:
>=20
>> Using a third-party's name servers is not an option
>=20
> And how can you trust that your port 53 TCP/UDP traffic isn't being
> redirected and you're talking to the real root servers? I think you're
> being a bit too paranoid...

DNSSEC.  That's how.

Well, it doesn't stop your traffic being redirected, but it does
guarantee that the data you receive is authentic.

The tricky bit is ensuring that your queries don't get redirected
between the stub-resolver built into libc, and whatever trusted
recursive resolver does the DNSSEC validation for you.  AFAIK, no
operating system has a stub resolver the capability to validate DNSSEC.
 But that would be a really excellent enhancement if it was feasible.

	Cheers,

	Matthew

PS. "Too paranoid?" That's impossible.

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW




--------------enig62B49468B54697CF6E038AD3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/14i0ACgkQ8Mjk52CukIz69wCcDAmL9gvsA1x1nNECI+SOI4fY
lkUAni93kFIjGpYlW9CLUwMev+qNhI3Q
=JadK
-----END PGP SIGNATURE-----

--------------enig62B49468B54697CF6E038AD3--