[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?
Niccolò Belli
darkbasic at linuxsystems.it
Sun Mar 11 13:17:15 EDT 2012
Il 11/03/2012 17:59, Paul Wouters ha scritto:
> You mean just a lan to lan connection? That is not what we call "OE".
Server Y ---[internet]--- Gateway+resolver [B] ---[lan]--- Client [A]
A wants to connect to Y. B is in front of A since it is its gateway. B
is also its nameserver.
1) A asks for y.com
2) since B is its resolver it gets the A/AAAA record
3) B queries for IPSECKEY record for y.com
4) if received, unbound runs an ipsec whack command that pushes the IP
from the A/AAAA record with the IPSECKEY obtained RSA key into pluto
5) pluto loads the policy, meaning it will %trap packets to the IP
6) B releases the A/AAAA to A
7) A sends a packet to Y, it travels in clear in the local network until
it reaches B
8) B initiates an IKE connection and sets up an IPsec SA
9) connection is setup encrypted from B to Y while it's still in clear
from A to B (but I don't care since the local network is trusted)
> Note that you need DLV enabled because fedora's registrar does not
> support DNSSEC yet.
So that's the problem since I commented out DLV. I did it because I
think the real solution is domain transfer, not DLV.
Cheers,
Niccolò
More information about the Users
mailing list