DNSSEC HW Support
Warren Kumari
warren at kumari.net
Tue Mar 16 20:10:34 UTC 2010
On Mar 16, 2010, at 11:39 AM, Niobos wrote:
> On 2010-03-16 15:57, prock111 at yahoo.com wrote:
>> I'm trying to figure out how many tests I need to run for an
>> individual product (layer 2, 3, 4, and 7) before I can say it is
>> completely DNSSEC compliant.
> By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic:
Well, yes, kinda.
Unfortunately there are a large number of things like firewalls and
consumer CPE that folks think of as layer 3/4 devices, but that do
silly things like assume DNS is only UDP, or max out at 512 bytes or
force DNS proxy mode.
While we could argue for hours abut whether they are really only l3/l4
devices, it wouldn't change the fact that folks think of them as
"routers".
ICANN SSAC / CORE released a report a while back: http://www.icann.org/en/committees/security/sac035.pdf
and I know that I have seen a bunch of other more recent tests.
W
> DNS with
> or without SEC-extension is considered payload. If a L2,3 or 4 devices
> does work with DNS and doesn't work with DNSSEC, it's broken and needs
> replacement. For completeness: switches and routers are layer 2 and 3
> respectively.
>
> Layer 7 devices might be affected, since they may preform extensive
> checking on the DNS-content itself.
>
> To answer your question: 0 tests for layer 2, 3 and 4. To be
> "completely
> compliant", you'd need to run an infinite number of tests for layer 7
> devices. I'd test the different algorithms, including some very recent
> (RSASHA512) and different security statuses (bogus, insecure, secure).
>
> Niobos
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
"Beware that the most effective way for someone to decrypt your data
may be with rubber hose." --- SSH 1.2.12 README
More information about the bind-users
mailing list