Do certificates for IP Addresses work?

Sanjeev Gupta ghane0 at gmail.com
Sun Feb 3 19:39:44 UTC 2019


On Sat, Feb 2, 2019 at 8:57 AM Richard Laager via devel <devel at ntpsec.org>
wrote:

>
> About 19% of the world is doing DNSSEC validation, in large part because
> apparently 15% of the world is using Google's recursive DNS service.
>

Actually,things are much worse.

The Google resolver checks for valid DNSSEC, and sets the bit.  However,
practically no one contacts Google DNS directly, it is their home router or
office gateway that does this.  And these resolvers do not check DNSSEC.
Hence the validation chain is broken.

If you

   1. run a resolver locally on your machine; and
   2. that does no forwarding; and
   3. has validation turned on

DNSSEC should work.  You can then set the resolver to not accept non-signed
replies (and most of the Internet will break).

Please see: https://dnssec.vs.uni-due.de/  and https://en.internet.nl/

And, of course, applications such as ntpd will not know if the address
resolved was secured with DNSSEC or not. They will, depending on the policy
of their resolver, get an answer or not.




-- 
Sanjeev Gupta
+65 98551208     http://www.linkedin.com/in/ghane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190204/ab577399/attachment.html>


More information about the devel mailing list