[sr-dev] git:master: Core: added DNSSEC support for DNS queries
Olle E. Johansson
oej at edvina.net
Fri Oct 12 08:46:51 CEST 2012
11 okt 2012 kl. 16:54 skrev Marius Zbihlei <marius.zbihlei at 1and1.ro>:
> On 10/11/2012 05:40 PM, Klaus Darilion wrote:
>> Hi Marius!
>>
>> What's the benefit of having DNSSEC validation in Kamailio instead of
>> having it in the respective recursive DNS server? I think most people
>> which operate a SIP proxy do also have a resolving name server within
>> their names. It may happen that bugfixes in DNSSEC libraries require to
>> rebuild/restart your SIP proxy, instead of just updating the local recurser.
> I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
>
> I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good
to be able to have control over the validation and get detailed error codes. And not have to trust an
external software for security validation.
We should still be able to use an external resolver, of course.
/O
More information about the sr-dev
mailing list