Maintained by: NLnet Labs

[Unbound-users] Unbound Android port

Patrik Fältström
Sun Aug 23 08:07:07 CEST 2015


On 22 Aug 2015, at 17:24, lst_hoe02 at kwsoft.de wrote:

> Zitat von Patrik Fältström <paf at frobbit.se>:
>
>> On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote:
>>
>>> I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO.
>>
>> I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally.
>>
>> In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you).
>
> At least for mobile Devices the user has no real way to decide if the DNS provided is really secure or not. Because of this it is preferable to do DNSSEC per Device and ignore the resolver provided by DHCP if possible.

It is always preferable to do DNSSEC in the device. Do not misunderstand me. :-)

I was just against wording that could be interpreted as if DNSSEC was useless if that was not the case.

>> Unfortunately statements like the one above I hear as arguments for not doing so.
>
> Possibility for doing better shold never be a excuse for doing nothing. My only point was that Unbound or something similar should be on stock Android soon, so the ones who care about secure DNS can simply activate it.

Agree. We should always have as a goal to Do The Right Thing.

>> That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment.
>
> The only cases where i have seen DNSSEC completely fail is if UDP *and* TCP Port 53 is not possible unfiltered. There are some stupid SOHO routers which always direct all Port 53 traffic to itself, but fail to handle DNSSEC in a useful way.

In 6to4 environments, you have to also trust the gateway that synthesise the IPv6 addresses for the IPv4 addresses you want to access. But that is to some degree an environment you talk about as the device do not have IPv4 at all (i.e. UDP:53 and TCP:53 are blocked on IPv4, as the device do not have IPv4).

   Patrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150823/278e00c8/attachment.sig>