On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
Marius
regards Klaus