[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Paul Wouters paul at nohats.ca
Sat Mar 10 17:38:48 EST 2012

On Sat, 10 Mar 2012, Niccolò Belli wrote:

> With .it still not having IPv6 glue and DNSSEC signatures I finally get a 
> working DNSSEC setup with linuxsystems.biz. Next goal was putting a Passive 
> OE gateway in front of my servers, when suddenly a doubt arises: what about 
> the reverse zone? I was relieved when I discovered in-addr.arpa was DNSSEC 
> signed, but then: http://www.sixxs.net/faq/dns/?faq=dnssec
> "Unfortunately, even though there is a possibility for doing DNSSEC in the 
> .arpa zone, the intermediate DNS Servers at the various ISPs do not support 
> DNSSEC yet."
> What a pity, is there someone actually doing Passive/Full OE using DNSSEC 
> Look-aside Validation for the reverse?

OE based on the reverse is pretty much dead. However, with people moving
to run validator resolvers on their end nodes, there is good OE possible
via the forward zones.

Imagine openswan and unbound running on a laptop

1) firefox asks unbound for www.openswan.org
2) unbound gets the A/AAAA record, but does not yet give it to firefox
3) unbound queries for IPSECKEY record for www.openswan.org
4) if received, unbound runs an ipsec whack command that pushes the
    IP from the A/AAAA record with the IPSECKEY obtained RSA key into
5) pluto loads the policy, meaning it will %trap packets to the IP
6) unbound releases the A/AAAA to firefox
7) firefox sends a packet, the kernel traps it and triggers pluto
8) pluto initiates an IKE connection and sets up an IPsec SA
9) packet is releases, connection is setup encrypted to www.openswan.org

While we could still use the existing reverse based OE, it needs to be
updated to use IPSECKEY instead of KEY or TXT records.


More information about the Users mailing list