Date: Thu, 05 Jul 2012 19:51:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-hackers@freebsd.org Subject: Re: Pull in upstream before 9.1 code freeze? Message-ID: <4FF5E22D.9000007@infracaninophile.co.uk> In-Reply-To: <op.wgzjeotz34t2sn@localhost> References: <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <op.wgvhfja234t2sn@tech304> <4FF5BB56.10100@my.gd> <op.wgzjeotz34t2sn@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig62B49468B54697CF6E038AD3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/07/2012 19:09, Mark Felder wrote: > On Thu, 05 Jul 2012 11:05:42 -0500, Damien Fleuriot <ml@my.gd> wrote: >=20 >> Using a third-party's name servers is not an option >=20 > And how can you trust that your port 53 TCP/UDP traffic isn't being > redirected and you're talking to the real root servers? I think you're > being a bit too paranoid... DNSSEC. That's how. Well, it doesn't stop your traffic being redirected, but it does guarantee that the data you receive is authentic. The tricky bit is ensuring that your queries don't get redirected between the stub-resolver built into libc, and whatever trusted recursive resolver does the DNSSEC validation for you. AFAIK, no operating system has a stub resolver the capability to validate DNSSEC. But that would be a really excellent enhancement if it was feasible. Cheers, Matthew PS. "Too paranoid?" That's impossible. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig62B49468B54697CF6E038AD3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/14i0ACgkQ8Mjk52CukIz69wCcDAmL9gvsA1x1nNECI+SOI4fY lkUAni93kFIjGpYlW9CLUwMev+qNhI3Q =JadK -----END PGP SIGNATURE----- --------------enig62B49468B54697CF6E038AD3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF5E22D.9000007>