DNSSEC validation

Evan Hunt each at isc.org
Tue Feb 13 23:00:24 UTC 2018

On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:
> 1. Assume if I use an external recursive resolver and if that resolver does
> not support DNSSEC, how can I validate the signature?

Depends what you mean by supporting DNSSEC; see below.

> 2. If I use an external resolver and if a hacker sits in between my
> system and the external resolver, will it detect ?

That's exactly what DNSSEC is for. If someone alters the answer,
the signatures won't validate.

> 3. When the external resolver resolve a query and when it response back to
> the client, will it strip off the signatures? I assume the validation is
> already done at the recursive resolver.

The resolver doesn't have to do DNSSEC validation itself (though of course
it's a good idea). It just needs to pass along signatures on request. If
you're using a resolver that doesn't do that... well, use a different one.

You can run a resolver as a separate local process, listening on the
localhost address. This ensures you have the resolver features you need
and also makes it quite a lot harder to mount a man-in-the-middle attack.

> 4. Can I integrate dnsmasq option with my client application? Any reference.

If you need it to be built in to your application, I'm not sure.  Warren's
suggestion of using getdns-api was a better idea anyway.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list