This is the mail archive of the libc-hacker@cygnus.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Integrating BIND 8.2


> From: baccala@FreeSoft.org
> Date: Wed, 31 Mar 1999 12:31:31 -0500 (EST)
> cc: libc-hacker@cygnus.com, rms@santafe.edu
> 
> On 31 Mar, Zack Weinberg wrote:
> > 
> > I've looked at the code more closely, and it does not implement
> > cryptographic verification of ordinary DNS lookups (res_query).  This
> > means we could get away with leaving out the crypto, if we really
> > needed to.
> > 
> > zw
> 
> An argument could be made that the client doesn't need crypto.  If you
> want crypto verification, you point the resolver library at a nameserver
> (probably on localhost) that does the crypto for you.
> 
> That could be your "plugin".

The reference here is RFC2535:

4.3 Processing Responses and SIG RRs

   The following rules apply to the processing of SIG RRs included in a
   response:

     1. A security aware resolver that receives a response from a
        security aware server via a secure communication with the AD bit
        (see Section 6.1) set, MAY choose to accept the RRs as received
        without verifying the zone SIG RRs.

     2. In other cases, a security aware resolver SHOULD verify the SIG
        RRs for the RRs of interest.  This may involve initiating
        additional queries for SIG or KEY RRs, especially in the case of
...


so that would be OK.  Running a whole nameserver just to do secure
DNS isn't very efficient, though.


Happily, RFC 2535 obsoletes RFC 2065.  Now, it is the DSA algorithm
that is mandatory.  So our problem has gone away; we can just avoid
implementing RSA until the patent expires (whenever that is):

3.2 The KEY Algorithm Number Specification
...
   Algorithm specific formats and procedures are given in separate
   documents.  The mandatory to implement for interoperability algorithm
   is number 3, DSA.  It is recommended that the RSA/MD5 algorithm,
   number 1, also be implemented.  Algorithm 2 is used to indicate
   Diffie-Hellman keys and algorithm 4 is reserved for elliptic curve.

-- 
Geoffrey Keating <geoffk@ozemail.com.au>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]