On 22 Aug 2015, at 17:24, [email protected] wrote: > Zitat von Patrik Fältström <[email protected]>: > >> On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote: >> >>> I also find it very useful because DNSSEC should be integrated per Device >>> to be useful/secure IMHO. >> >> I must say I disagree with the statement, because it sounds like if >> usefulness of DNSSEC is black and white, yes or no. And that it is useless >> today as no validation is happening locally. >> >> In reality, you already today must trust various pieces of the zeroconf >> tussle, and one of them is the recursive resolver of your choice (or rather, >> the one your [trusted] DHCP server is giving to you). > > At least for mobile Devices the user has no real way to decide if the DNS > provided is really secure or not. Because of this it is preferable to do > DNSSEC per Device and ignore the resolver provided by DHCP if possible.
It is always preferable to do DNSSEC in the device. Do not misunderstand me. :-) I was just against wording that could be interpreted as if DNSSEC was useless if that was not the case. >> Unfortunately statements like the one above I hear as arguments for not >> doing so. > > Possibility for doing better shold never be a excuse for doing nothing. My > only point was that Unbound or something similar should be on stock Android > soon, so the ones who care about secure DNS can simply activate it. Agree. We should always have as a goal to Do The Right Thing. >> That said, I completely agree that the goal must be to have validation to >> happen locally, although that will in some cases (various mixed IPv6/IPv4 >> environments for example) will not work. But in those you are doomed anyway >> if you do not trust the local environment. > > The only cases where i have seen DNSSEC completely fail is if UDP *and* TCP > Port 53 is not possible unfiltered. There are some stupid SOHO routers which > always direct all Port 53 traffic to itself, but fail to handle DNSSEC in a > useful way. In 6to4 environments, you have to also trust the gateway that synthesise the IPv6 addresses for the IPv4 addresses you want to access. But that is to some degree an environment you talk about as the device do not have IPv4 at all (i.e. UDP:53 and TCP:53 are blocked on IPv4, as the device do not have IPv4). Patrik
signature.asc
Description: OpenPGP digital signature
