Philip Homburg <[email protected]> wrote: >> If a stub resolver (such as an IoT device) wants to know if the >> recursive resolver is doing DNSSEC validation, I'm not aware of any >> mechanism other than doing a query that they expect will be signed, >> and observing the AD bit.
> Do you care more about false positives or false negatives? Usually for
> security it is most important to avoid false positives.
(depending how the question is asked... )
probably one would prefer to not use a resolver that appears not to be
validating (false positive) than use a resolver that is not validating,
thinking it is.
> So the first check should be a zone that is deliberately bogus. If a
> regular query fails with SERVFAIL and query with the CD flags succeeds
> then there is a good chance that the resolver is validating.
Do we have zones that have promises will always be bogus?
I point to:
https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/
Picking random strings to fail with will probably set of sensors.
> The next test should be a DNSSEC insecure zone and check if the AD bit
> is clear.
> The last check, whether a zone that is signed results in the AD bit
> being set, might be omitted. The goal of this type of securty is to
> fail closed. Though it may help generate better error messages
> (assuming there is a way to show them).
There isn't a way to show the error.
At least, not without working, secure, DNS.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
