12 Oct
2012
12 Oct
'12
9:46 a.m.
11 okt 2012 kl. 16:54 skrev Marius Zbihlei <marius.zbihlei(a)1and1.ro>ro>:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS
zone. Feels good
to be able to have control over the validation and get detailed error codes. And not have
to trust an
external software for security validation.
We should still be able to use an external resolver, of course.
/O
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
I
imagined a situation in which you don't trust your resolver, even in same LAN. Due to
ARP poisoning, DNS request (even your local resolver issues external requests) can be
spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS
caching in place I fail to see the reason of using a local DNS resolver, instead one can
use a network resolver. Just a little more flexibility.