On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > 1. Assume if I use an external recursive resolver and if that resolver does > not support DNSSEC, how can I validate the signature?
Depends what you mean by supporting DNSSEC; see below. > 2. If I use an external resolver and if a hacker sits in between my > system and the external resolver, will it detect ? That's exactly what DNSSEC is for. If someone alters the answer, the signatures won't validate. > 3. When the external resolver resolve a query and when it response back to > the client, will it strip off the signatures? I assume the validation is > already done at the recursive resolver. The resolver doesn't have to do DNSSEC validation itself (though of course it's a good idea). It just needs to pass along signatures on request. If you're using a resolver that doesn't do that... well, use a different one. You can run a resolver as a separate local process, listening on the localhost address. This ensures you have the resolver features you need and also makes it quite a lot harder to mount a man-in-the-middle attack. > 4. Can I integrate dnsmasq option with my client application? Any reference. If you need it to be built in to your application, I'm not sure. Warren's suggestion of using getdns-api was a better idea anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users