Re: DNSSEC for squid

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Mon, 10 Nov 2008 21:53:46 +0100

On mån, 2008-11-10 at 14:54 +0100, Willi Herzig wrote:

> is there any support of squid to validate DNS queries using DNSSEC (DNS
> Security Extensions)? Or is it planned?

Not at this time. But if the local resolver daemon supports DNSSEC then
if I am not mistaken Squid should be able to take benefit of this.

There is also thoughts about being able to use TCP explusively for
talking to the DNS resolver, solving issues when the transport to the
resolver is not trusted.

> It would be very useful if squid validates DNS queries using DNSSEC (for
> example using a library like libval) and shows the result as an error
> message if there are any problems with this domain.
> Without DNSSEC support the user will just get the message "Could not get
> an IP address SERVER ERROR" without knowing that the name exists, but
> there was just an error validation the domain (for example a cache
> poisoning attack).

Right. This would be quite meaningful, unless the resolver does the
needed dance to recover from / ignore attacks making sure that the
correct reply is given to the client (squid).

Regards
Henrik

Received on Mon Nov 10 2008 - 20:53:53 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 11 2008 - 12:00:03 MST