On mån, 2008-11-10 at 14:54 +0100, Willi Herzig wrote: > is there any support of squid to validate DNS queries using DNSSEC (DNS > Security Extensions)? Or is it planned?
Not at this time. But if the local resolver daemon supports DNSSEC then if I am not mistaken Squid should be able to take benefit of this. There is also thoughts about being able to use TCP explusively for talking to the DNS resolver, solving issues when the transport to the resolver is not trusted. > It would be very useful if squid validates DNS queries using DNSSEC (for > example using a library like libval) and shows the result as an error > message if there are any problems with this domain. > Without DNSSEC support the user will just get the message "Could not get > an IP address SERVER ERROR" without knowing that the name exists, but > there was just an error validation the domain (for example a cache > poisoning attack). Right. This would be quite meaningful, unless the resolver does the needed dance to recover from / ignore attacks making sure that the correct reply is given to the client (squid). Regards Henrik
signature.asc
Description: This is a digitally signed message part
