Maintained by: NLnet Labs

[Unbound-users] Unbound Android port

Patrik Fältström
Fri Aug 21 10:11:57 CEST 2015


On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote:

> I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO.

I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally.

In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you).

There are a multitude of attack vectors in the local network, but because of that, creating mechanisms for those to do a better job will make things better. And I am specifically thinking of the ability for a recursive resolver to do validation.

So, I definitely think DNSSEC is useful even if validation is not happening in the local device.

In Sweden, more than 95% of resolvers do validate DNSSEC signed responses (I think it was, according to Geoff measurements), and that is A Good Thing. More ISPs and cellphone providers etc should immediately turn on validation! 

Unfortunately statements like the one above I hear as arguments for not doing so.

That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment.

> I hope that someday (soon) a validating resolver will be the default for Android, at least in the more technical driven projekts like cyanogenmod.

Completely agree with this!

   Patrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150821/48819d8c/attachment.sig>