11 Oct
2012
11 Oct
'12
5:54 p.m.
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
I
imagined a situation in which you don't trust your resolver, even in
same LAN. Due to ARP poisoning, DNS request (even your local resolver
issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue,
but with DNS caching in place I fail to see the reason of using a local
DNS resolver, instead one can use a network resolver. Just a little more
flexibility.
Marius
regards
Klaus
--
Zbihlei Marius
Head of
Linux Development Services Romania
1&1 Internet Development srl Tel KA: 754-9152
Str Mircea Eliade 18 Tel RO: +40-31-223-9152
Sect 1, Bucuresti mailto: marius.zbihlei(a)1and1.ro
71295, Romania