Maintained by: NLnet Labs

Preview of data before security is established

W.C.A. Wijngaards
Mon May 30 09:24:12 CEST 2016


Hi Rick,

On 27/05/16 11:30, Rick van Rein via Unbound-users wrote:
> Hello,
> 
> Is there any way for an asynchronous program to get a preview of DNS
> data that is in the process of being validated?

No not really.  Unbound actually validates queries via libunbound.
Actually internally, unbound can do queries without validation, and then
later resume validation 'from cache' at start.  But it doesn't do that.

You could have two contexts, one with a trust anchor and one without;
but they would not share cache entries, and do duplicate work.

If you know the query name in advance, you can start the queries early,
with asyncronous lookups.

Best regards, Wouter

> 
> For instance, we sometimes need to go over these three records in a
> sequence...
> 
> _kerberos.arpa2.org.       IN TXT  "ARPA2.ORG"
> _kerberos._udp.arpa2.org.  IN SRV  10 10 88  ...
> _88._udp.arpa2.org.        IN TLSA  ...
> 
> ...and could imagine speeding up this enforced sequence by using the
> insecure data as a hint, and later mop up all the security status of the
> three components (before acting on it externally).
> 
> FWIW, I sent a similar question to the GetDNS users list, with more
> elaborate information on this use case; we use this for Kerberos realm
> crossover.  The last two steps also need to be sequentially ordered for
> DANE when we access a remote LDAP directory from our TLS Pool.  The
> _kerberos TXT record is described in draft-vanrein-dnstxt-krb1 which
> currently sits in the RFC editor queue.
> 
> 
> Cheers,
>  -Rick
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160530/65622bdd/attachment.sig>