>>>>> "Yoav" == Yoav Nir <[email protected]> writes: Jorge> I agree DNSSEC cannot be assumed, its deployments have been Jorge> marginal.
>> DNSSEC is *one* *public* trusted third party. It's not the only
>> way to use DNS securely, it's just the easiest one to arrange
>> between total strangers.
Yoav> Yup, expect that the problem we're trying to solve here is not
Yoav> that of total strangers.
If the entities are in fact a group who has an internal trust anchor:
a) if they want to use DNSSEC, it only matters they have DNSSEC
deployed for the part of the reverse zone they use, and that
they have a trusted anchor into that.
b) a really simple way to get secure DNS data is to make every
(gateway) machine a secondary for the zones in question.
c) a second way is to simply point the /etc/resolv.conf and/or
the DNS-forwarders to some *set* of internal servers, ideally
authenticated with TSIG... OR, even do it over the single spoke
to hub IPsec tunnel.
Finally, if we are talking IPv4, then the internal IPs are likely
RFC1918, and so one can't use the public DNS anyway, so you have to do
either (b) or (c) ANYWAY.
Again, this can all be done with existing protocols and existing
software, which, on a Linux machine, you can do a yum install or
apt-get install.
pgpfAHs1bQNwU.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
