[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?
darkbasic at linuxsystems.it
Sat Mar 10 20:48:52 EST 2012
That's the very same implementation I thought while trying to find an
alternative, unfortunately installing openswan and a validating resolver
in every client isn't realistic: only a bunch of nerds will end up using it.
With the reverse approach, instead, a sysadmin can simply put openswan
in his network's gateway to encrypt all the connections from the
clients. Anyway maybe we can achieve the same goal putting the
validating resolver in the gateway itself...
Also, there is a thing in the old approach I never fully understood:
when an iOE wants to connect to a full-OE, it transmits the FQDN as an
ID during the IKE negotiation, then the other peer retrieves the TXT
record with the keying information. What's the point? Why not sending
the informations directly?
Concerning the reverse zones: your SMTP doesn't have a valid PTR record
(I keep receiving your e-mails in the spam folder).
More information about the Users