Maintained by: NLnet Labs

Preview of data before security is established

Rick van Rein
Fri May 27 11:30:56 CEST 2016


Hello,

Is there any way for an asynchronous program to get a preview of DNS
data that is in the process of being validated?

For instance, we sometimes need to go over these three records in a
sequence...

_kerberos.arpa2.org.       IN TXT  "ARPA2.ORG"
_kerberos._udp.arpa2.org.  IN SRV  10 10 88  ...
_88._udp.arpa2.org.        IN TLSA  ...

...and could imagine speeding up this enforced sequence by using the
insecure data as a hint, and later mop up all the security status of the
three components (before acting on it externally).

FWIW, I sent a similar question to the GetDNS users list, with more
elaborate information on this use case; we use this for Kerberos realm
crossover.  The last two steps also need to be sequentially ordered for
DANE when we access a remote LDAP directory from our TLS Pool.  The
_kerberos TXT record is described in draft-vanrein-dnstxt-krb1 which
currently sits in the RFC editor queue.


Cheers,
 -Rick