[Desktop-packages] [Bug 995332] Re: Validate DNSSEC by default

Fri, 11 May 2012 15:44:42 -0700 

This wouldn't really be different that=n using libc for resolving, so I
don't think it really qualifies as a security issue.

You can still perform DNSSEC validation, which is the actual difference
from if DNSSEC proxying wasn't supported by dnsmasq. Granted, it doesn't
automatically do the validation itself, but neither do most programs (or
libc).

Should you want to have DNSSEC validation on your system for now, you
might want to install the DNSSEC Validator plugin for Firefox.

It definitely should be done, but this will depend on work upstream or
by developers. In other words, patches welcome, for fixing dnsmasq
itself.

We may look into adding support for unbound as a resolver in NM; to be
determined.

** Changed in: network-manager (Ubuntu)
       Status: New => Triaged

** Changed in: network-manager (Ubuntu)
   Importance: Undecided => Wishlist

** Also affects: dnsmasq (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: dnsmasq (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: dnsmasq (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/995332

Title:
  Validate DNSSEC by default

Status in “dnsmasq” package in Ubuntu:
  Triaged
Status in “network-manager” package in Ubuntu:
  Triaged

Bug description:
  Network Manager in Precise uses a local forwarding DNS server
  (dnsmasq).  This does not perform DNSSEC validation, although it is
  configured to proxy the DNSSEC validation result from the upstream
  server, for which the manpage mentions the following caveat:

  "You should only do this if you trust all the configured upstream
  nameservers and the network between you and them."

  Since not all networks or upstream DNS servers are trustworthy, the
  safest place to perform DNSSEC validation is on the client.  Using a
  local DNS server which cannot validate is a missed opportunity; by
  replacing dnsmasq with a more-capable DNS server (e.g. Unbound)
  security against DNS poisoning and MITM attacks could be improved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to