[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-security
Subject: Re: simple question
From: Edward Lewis <lewis () tis ! com>
Date: 1997-06-09 13:23:10
[Download RAW message or body]
At 2:44 PM -0400 6/6/97, David Page X1566 wrote:
>My question is how do I verify the SIG? Or, does dig *automatically*
>verify everything? What about gethostbyname?
dig doesn't verify the SIG. The SIG, created by the signer (which is a
source code half-sibling of the name server) is verified by the name server
as the master file is read.
--------- ---------- ----------
| | Query | | Recurse Query | |
| dig |----------->| recurse|-------------->| auth |
| | | | Auth answer | |
| |<- - - - - -| |<--------------| |
--------- ---------- ----------
^
|-----This is where a verification
happens, before answer is
cached and sent back to dig
Assume you were to have two name servers running, with one being
authoritative and the other recursive. Assume a query is issued to the
recursive one for data authoritatively belonging to the other server. In
this case, the recursive name server will perform a verification as it
learns the data. If the verification passes the data is cached and the
answer sent to the client (dig).
Yes, this means that the line from the local default nameserver to the
client machine is 'unprotected' by this. The DNSSEC work secures transfers
between any two name servers. Clients may also wish to perform the
verification, but it is resource intensive. There is a proposal (TSIG) in
the works to 'secure' the link to the client (resolver, e.g., dig).
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis Trusted Information Systems
Phone: +1 301-854-5794 Email: lewis@tis.com
Opinions expressed are property of my evil twin, not my employer.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic