DNSSECbis Q-2: degradation attack
mcr at sandelman.ottawa.on.ca
Tue Sep 2 22:46:05 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Miek" == Miek Gieben <miekg at atoom.net> writes:
Miek> [On 02 Sep, @23:16, Michael wrote in "Re: DNSSECbis Q-2: degradation ..."]
>> Mike, thank you for the diagram. It looks correct to me.
>> It certainly answers the algorithm question for me.
>> A major question is what does the resolver do with all this information?
>> One thing I found weird about your diagram is that you have "Process Normal
>> Response" in the middle of the diagram, while "Treat Secure" is at the
>> It isn't obvious that the "Treat as Bogus" is also a terminal node. May
>> I suggest that you put them all at the bottom of the diagram?
>> Then, we are back to the problem of expressing three outcomes using only
>> 1 bit when communicating with the application :-)
Miek> is there any documentation about this API? Should I look at the
Miek> lwred source code from bind9? Or are we free to invent a new API?
lwres is built into bind9.
It is presently just DNS over 127.0.0.1:953. I would actually prefer to
use Unix domain stream sockets - specifically so that I know that it is
local, and so that I can get signaled when the server dies, etc.
I have just finished (yet another?.. not quite) async interface to
liblwres, which I'm about to post. It groks DNSSEC and follows CNAMEs,
which I need.
Please note reply-to.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
-----END PGP SIGNATURE-----
More information about the bind-workers