DNSSEC validation

SIMON BABY simonkbaby at gmail.com
Tue Feb 13 23:22:55 UTC 2018

Thanks Evan for answering my questions. I will look more into getdns-api or
libunbund library for the client side resolve.


On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt <each at isc.org> wrote:

> On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:
> > 1. Assume if I use an external recursive resolver and if that resolver
> does
> > not support DNSSEC, how can I validate the signature?
> Depends what you mean by supporting DNSSEC; see below.
> > 2. If I use an external resolver and if a hacker sits in between my
> > system and the external resolver, will it detect ?
> That's exactly what DNSSEC is for. If someone alters the answer,
> the signatures won't validate.
> > 3. When the external resolver resolve a query and when it response back
> to
> > the client, will it strip off the signatures? I assume the validation is
> > already done at the recursive resolver.
> The resolver doesn't have to do DNSSEC validation itself (though of course
> it's a good idea). It just needs to pass along signatures on request. If
> you're using a resolver that doesn't do that... well, use a different one.
> You can run a resolver as a separate local process, listening on the
> localhost address. This ensures you have the resolver features you need
> and also makes it quite a lot harder to mount a man-in-the-middle attack.
> > 4. Can I integrate dnsmasq option with my client application? Any
> reference.
> If you need it to be built in to your application, I'm not sure.  Warren's
> suggestion of using getdns-api was a better idea anyway.
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180213/57846db9/attachment.html>

More information about the bind-users mailing list