[sr-dev] git:master: Core: added DNSSEC support for DNS queries
Marius Zbihlei
marius.zbihlei at 1and1.ro
Thu Oct 11 16:54:40 CEST 2012
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
> Hi Marius!
>
> What's the benefit of having DNSSEC validation in Kamailio instead of
> having it in the respective recursive DNS server? I think most people
> which operate a SIP proxy do also have a resolving name server within
> their names. It may happen that bugfixes in DNSSEC libraries require to
> rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in
same LAN. Due to ARP poisoning, DNS request (even your local resolver
issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue,
but with DNS caching in place I fail to see the reason of using a local
DNS resolver, instead one can use a network resolver. Just a little more
flexibility.
Marius
> regards
> Klaus
>
>
>
--
Zbihlei Marius
Head of
Linux Development Services Romania
1&1 Internet Development srl Tel KA: 754-9152
Str Mircea Eliade 18 Tel RO: +40-31-223-9152
Sect 1, Bucuresti mailto: marius.zbihlei at 1and1.ro
71295, Romania
More information about the sr-dev
mailing list