| |||||||||||||
Debian to start deploying DNSSECDebian to start deploying DNSSECPosted Feb 16, 2010 17:52 UTC (Tue) by dps (subscriber, #5725)Parent article: Debian to start deploying DNSSEC
In the DNSSEC context DSA is a (specific) digital signature algorithm.
Actually using a DNSSEC protected zone is not difficult, but many resolvers do not know how to check signatures. AFAIK a signature aware resolver will check signatures without you configuring anything.
I believe bind 9 is likely to check signatures and glibc probably does not. If DNSSEC becomes popular this will probably change in due course.
(Log in to post comments)
Debian to start deploying DNSSEC Posted Feb 17, 2010 13:28 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
It is expected that many end users will ask a recursive DNS server (perhaps one in their household DSL router, or at an ISP, or in a corporate data centre) to perform the DNSSEC checks on their behalf, at least initially. This protects them from poisoning of a distant cache or impersonation of the DNS servers for a particular domain which previously had the potential to send millions of users to a bogus web site or whatever with just one good exploit.
Obviously if you want to actually be sure you should do all your own checks, but this costs CPU (fine in a PC but not in some embedded devices) and requires that you stay up to date with changes to the root keys (for most Linux users these will presumably be distributed as package updates like the timezone file updates) once the root is signed for real this summer.
|
|||||||||||||