11 okt 2012 kl. 16:54 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good to be able to have control over the validation and get detailed error codes. And not have to trust an external software for security validation.
We should still be able to use an external resolver, of course.
/O