Maintained by: NLnet Labs

Preview of data before security is established

Rick van Rein
Fri May 27 11:30:56 CEST 2016


Is there any way for an asynchronous program to get a preview of DNS
data that is in the process of being validated?

For instance, we sometimes need to go over these three records in a
sequence...       IN TXT  "ARPA2.ORG"  IN SRV  10 10 88  ...        IN TLSA  ...

...and could imagine speeding up this enforced sequence by using the
insecure data as a hint, and later mop up all the security status of the
three components (before acting on it externally).

FWIW, I sent a similar question to the GetDNS users list, with more
elaborate information on this use case; we use this for Kerberos realm
crossover.  The last two steps also need to be sequentially ordered for
DANE when we access a remote LDAP directory from our TLS Pool.  The
_kerberos TXT record is described in draft-vanrein-dnstxt-krb1 which
currently sits in the RFC editor queue.