On 05/07/2012 19:09, Mark Felder wrote: > On Thu, 05 Jul 2012 11:05:42 -0500, Damien Fleuriot <m...@my.gd> wrote: > >> Using a third-party's name servers is not an option > > And how can you trust that your port 53 TCP/UDP traffic isn't being > redirected and you're talking to the real root servers? I think you're > being a bit too paranoid...
DNSSEC. That's how. Well, it doesn't stop your traffic being redirected, but it does guarantee that the data you receive is authentic. The tricky bit is ensuring that your queries don't get redirected between the stub-resolver built into libc, and whatever trusted recursive resolver does the DNSSEC validation for you. AFAIK, no operating system has a stub resolver the capability to validate DNSSEC. But that would be a really excellent enhancement if it was feasible. Cheers, Matthew PS. "Too paranoid?" That's impossible. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature