feature request: modify getrrsetbyname() to use libunbound
Robert Story
rstory at tislabs.com
Wed May 9 22:59:53 EST 2012
On Wed, 09 May 2012 12:44:13 +0200 Ondřej wrote:
OC> There is only one pitfall. The autonomous validation is attempted only
OC> if the DNS response does not contain the AD flag. Therefore if someone
OC> changes the DNS response on the wire and leaves the AD flag set,
OC> spurious data are trusted without further validating. This is not
OC> secure, as link between computer and DNS resolver cannot be generally
OC> trusted.
Yes, which is why we prefer our DNSSEC-Tools libval patch, which always
does local validation and does not depend on the AD flag.
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
Robert
--
Senior Software Engineer
SPARTA, Inc., a Parsons Company
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/8e9433b0/attachment.bin>
More information about the openssh-unix-dev
mailing list