<div dir="ltr">Thanks Evan for answering my questions. I will look more into getdns-api or libunbund library for the client side resolve.<div><br></div><div>Rgds</div><div>Simon</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt <span dir="ltr"><<a href="mailto:each@isc.org" target="_blank">each@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:<br>
> 1. Assume if I use an external recursive resolver and if that resolver does<br>
> not support DNSSEC, how can I validate the signature?<br>
<br>
</span>Depends what you mean by supporting DNSSEC; see below.<br>
<span class=""><br>
> 2. If I use an external resolver and if a hacker sits in between my<br>
> system and the external resolver, will it detect ?<br>
<br>
</span>That's exactly what DNSSEC is for. If someone alters the answer,<br>
the signatures won't validate.<br>
<span class=""><br>
> 3. When the external resolver resolve a query and when it response back to<br>
</span>> the client, will it strip off the signatures? I assume the validation is<br>
<span class="">> already done at the recursive resolver.<br>
<br>
</span>The resolver doesn't have to do DNSSEC validation itself (though of course<br>
it's a good idea). It just needs to pass along signatures on request. If<br>
you're using a resolver that doesn't do that... well, use a different one.<br>
<br>
You can run a resolver as a separate local process, listening on the<br>
localhost address. This ensures you have the resolver features you need<br>
and also makes it quite a lot harder to mount a man-in-the-middle attack.<br>
<span class=""><br>
> 4. Can I integrate dnsmasq option with my client application? Any reference.<br>
<br>
</span>If you need it to be built in to your application, I'm not sure. Warren's<br>
suggestion of using getdns-api was a better idea anyway.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Evan Hunt -- <a href="mailto:each@isc.org">each@isc.org</a><br>
Internet Systems Consortium, Inc.<br>
</div></div></blockquote></div><br></div>