Maintained by: NLnet Labs

[Unbound-users] local control socket; www.unbound.net certificate

Leen Besselink
Wed Dec 1 10:28:51 CET 2010


On 12/01/2010 04:12 AM, Paul Wouters wrote:
> On Wed, 1 Dec 2010, Leen Besselink wrote:
>
>> Chromium does have the --enable-dnssec-certs option so that is a start,
>> but it's experimental.
>
> What does that option do? As there is no real standard yet...

It does a number of checks from this page:
http://www.imperialviolet.org/2010/08/16/dnssectls.html

>From looking at the wire, I see a request for the TXT RR with DO-bit set
and EDNS0 (payload size: 4096).

I haven't checked the actual code. It's more a proof of concept I think.

>
>> I think OpenSSH is the only application at this point which supports the
>> dnssec and in this case with SSHFP-RR.
>
> openswan supports raw RSA keys for IPsec in DNS.
>

Forgot about that one. Opportunistic encryption, I don't think anyone
else implemented that and openswan is not in the mainline kernel. So it
isn't widely deployed, which is to bad. It's an interresting idea.

>> DNSSEC can be used for so much more.
>
> It's coming, but it will take a few more months.
>
> Paul