[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Paul Wouters pwouters at redhat.com
Sun Mar 11 12:45:48 EDT 2012

On Sun, 11 Mar 2012, Niccolò Belli wrote:

> Il 11/03/2012 17:22, Paul Wouters ha scritto:
>> yum install dnssec-trigger
>> https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations
> Unfortunately I don't use Fedora and my intention is to put openswan directly 
> in the gateway, not in the single clients.

dnssec-trigger and unbound are not fedora specific.

If you want OE, then the individual clients will run IPsec/IKE. I am not
sure what you otherwise would be thinking of?

> All clients do already use a local validating resolver (bind), but I really 
> don't know how to do the following steps:
>> 4) if received, unbound runs an ipsec whack command that pushes the
>>     IP from the A/AAAA record with the IPSECKEY obtained RSA key into
>>     pluto
>> 5) pluto loads the policy, meaning it will %trap packets to the IP
>> 6) unbound releases the A/AAAA to firefox

We will use unbound because it can easilly be extended using python to do
these specific steps. Perhaps someone can port those features to bind.
Perhaps bind10 will allow easy plugins as well?


More information about the Users mailing list