Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 05 Jul 2012 19:51:25 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-hackers@freebsd.org
Subject:   Re: Pull in upstream before 9.1 code freeze?
Message-ID:  <4FF5E22D.9000007@infracaninophile.co.uk>
In-Reply-To: <op.wgzjeotz34t2sn@localhost>
References:  <CA%2BQLa9B-Dm-=hQCrbEgyfO4sKZ5aG72_PEFF9nLhyoy4GRCGrA@mail.gmail.com> <4FF2E00E.2030502@FreeBSD.org> <86bojxow6x.fsf@ds4.des.no> <op.wgvhfja234t2sn@tech304> <4FF5BB56.10100@my.gd> <op.wgzjeotz34t2sn@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig62B49468B54697CF6E038AD3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 05/07/2012 19:09, Mark Felder wrote:
> On Thu, 05 Jul 2012 11:05:42 -0500, Damien Fleuriot <ml@my.gd> wrote:
>=20
>> Using a third-party's name servers is not an option
>=20
> And how can you trust that your port 53 TCP/UDP traffic isn't being
> redirected and you're talking to the real root servers? I think you're
> being a bit too paranoid...

DNSSEC.  That's how.

Well, it doesn't stop your traffic being redirected, but it does
guarantee that the data you receive is authentic.

The tricky bit is ensuring that your queries don't get redirected
between the stub-resolver built into libc, and whatever trusted
recursive resolver does the DNSSEC validation for you.  AFAIK, no
operating system has a stub resolver the capability to validate DNSSEC.
 But that would be a really excellent enhancement if it was feasible.

	Cheers,

	Matthew

PS. "Too paranoid?" That's impossible.

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW




--------------enig62B49468B54697CF6E038AD3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/14i0ACgkQ8Mjk52CukIz69wCcDAmL9gvsA1x1nNECI+SOI4fY
lkUAni93kFIjGpYlW9CLUwMev+qNhI3Q
=JadK
-----END PGP SIGNATURE-----

--------------enig62B49468B54697CF6E038AD3--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF5E22D.9000007>