[getdns-users] STUB mode, does it validate DNSSEC security?

Rick van Rein rick at openfortress.nl
Thu Feb 25 17:53:56 UTC 2016 

Hi Allison,

Thank you very much.  Willem's talk starts off by clearly positioning
GetDNS as a secure stub resolver, possibly at the OS level; this
probably is the main statement to make, and I wasn't quite clear based
on the website.  One aspect of that is the overlap with libunbound, and
the absense of a comparison of which/why/when between the two.  Is that
helpful feedback?

> Interesting point about the API. I hope others will comment in detail.
>
Maybe it helps to give a few advanced DNS use cases then.

Of course, where I wrote "object" you are welcome to read "callback
function registration".  The change notifications of live network state
(after TTL expiration) is what it is about.  It's like caching, but
application-driven.  A model that works particularly well I think is
LDAP's "SyncRepl" mechanism [RFC 4533], where you send a search and
annotate it with "oh, and if you have updates then let me know please,
I'll stay connected".  If that conceptual model would be possible,
leading to callbacks when RRsets are changed, or their security status,
then it could greatly simplify heavy-weight use of DNS.

As an example, I wrote a DNSKEY-uploader-to-parent script that
scrutinises timing information on DSs and DNSKEYs or their absense, in
order to do nothing too hastily.  The code is rock-solid but needs to do
a lot of administration of DNS-based timing and absense/presence of
records.  There is a general underlying concept, I think; I'm now
working on a similarly robust RESTful API to OpenDNSSEC, and I find
myself turning to pydns with the same zeal for detail.

The reason I am now looking into GetDNS is for my TLS Pool [1]; a daemon
that takes TLS out of applications, to separate private keys from
application logic (or "frivolity" if you like).  Of course I'm looking
at DANE, but is it best used if only done at the start of a session?  My
preference would be to register for changes to the chain that leads to
my TLSA record throughout the lifetime of a TLS connection (which may be
long, for instance when using LDAP or IMAP).

Another part of my InternetWide.org work is an interest in realm
crossover for Kerberos [2] (and proper embedding of Kerberos in TLS
[3]).  During this "impromptu" crossover, public keys are used, and it
would be very interesting if it would be possible to reverse
automatically when TLSA records are pulled from DNS.

Making such things easy, not necessarily through an object API but at
least facilitating that sort of object, could IMHO be a great asset to
the usefulness of DNSSEC, DANE and other improvements for online security.


Sorry for the infodump, I hadn't expected such an open response to my
API remark!  But don't get me started, there's more where that came from :)


Cheers,
 -Rick

[1] https://github.com/arpa2/tlspool
[2] http://internetwide.org/blog/2015/04/22/id-2-byoid.html
[3] http://internetwide.org/blog/2015/11/24/somethings-cooking-3.html


> Thank you for writing. We're glad to continue discussion.
>
> Allison
>
> (getdns Team Coordinator)
>
> Hello,
>
> I'm looking into GetDNS, curious about a new player on the landscape,
>

More information about the Users mailing list