This is the mail archive of the
libc-hacker@cygnus.com
mailing list for the glibc project.
Re: Integrating BIND 8.2
- To: baccala@FreeSoft.org
- Subject: Re: Integrating BIND 8.2
- From: Geoff Keating <geoffk@ozemail.com.au>
- Date: Thu, 1 Apr 1999 08:55:50 +1000
- CC: zack@rabi.columbia.edu, libc-hacker@cygnus.com, rms@santafe.edu
- References: <199903311732.JAA06943@cygnus.com>
> From: baccala@FreeSoft.org
> Date: Wed, 31 Mar 1999 12:31:31 -0500 (EST)
> cc: libc-hacker@cygnus.com, rms@santafe.edu
>
> On 31 Mar, Zack Weinberg wrote:
> >
> > I've looked at the code more closely, and it does not implement
> > cryptographic verification of ordinary DNS lookups (res_query). This
> > means we could get away with leaving out the crypto, if we really
> > needed to.
> >
> > zw
>
> An argument could be made that the client doesn't need crypto. If you
> want crypto verification, you point the resolver library at a nameserver
> (probably on localhost) that does the crypto for you.
>
> That could be your "plugin".
The reference here is RFC2535:
4.3 Processing Responses and SIG RRs
The following rules apply to the processing of SIG RRs included in a
response:
1. A security aware resolver that receives a response from a
security aware server via a secure communication with the AD bit
(see Section 6.1) set, MAY choose to accept the RRs as received
without verifying the zone SIG RRs.
2. In other cases, a security aware resolver SHOULD verify the SIG
RRs for the RRs of interest. This may involve initiating
additional queries for SIG or KEY RRs, especially in the case of
...
so that would be OK. Running a whole nameserver just to do secure
DNS isn't very efficient, though.
Happily, RFC 2535 obsoletes RFC 2065. Now, it is the DSA algorithm
that is mandatory. So our problem has gone away; we can just avoid
implementing RSA until the patent expires (whenever that is):
3.2 The KEY Algorithm Number Specification
...
Algorithm specific formats and procedures are given in separate
documents. The mandatory to implement for interoperability algorithm
is number 3, DSA. It is recommended that the RSA/MD5 algorithm,
number 1, also be implemented. Algorithm 2 is used to indicate
Diffie-Hellman keys and algorithm 4 is reserved for elliptic curve.
--
Geoffrey Keating <geoffk@ozemail.com.au>