[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Niccolò Belli darkbasic at linuxsystems.it
Sun Mar 11 13:17:15 EDT 2012

Il 11/03/2012 17:59, Paul Wouters ha scritto:
> You mean just a lan to lan connection? That is not what we call "OE".

Server Y ---[internet]--- Gateway+resolver [B] ---[lan]--- Client [A]

A wants to connect to Y. B is in front of A since it is its gateway. B 
is also its nameserver.

1) A asks for y.com
2) since B is its resolver it gets the A/AAAA record
3) B queries for IPSECKEY record for y.com
4) if received, unbound runs an ipsec whack command that pushes the IP 
from the A/AAAA record with the IPSECKEY obtained RSA key into pluto
5) pluto loads the policy, meaning it will %trap packets to the IP
6) B releases the A/AAAA to A
7) A sends a packet to Y, it travels in clear in the local network until 
it reaches B
8) B initiates an IKE connection and sets up an IPsec SA
9) connection is setup encrypted from B to Y while it's still in clear 
from A to B (but I don't care since the local network is trusted)

> Note that you need DLV enabled because fedora's registrar does not
> support DNSSEC yet.

So that's the problem since I commented out DLV. I did it because I 
think the real solution is domain transfer, not DLV.


More information about the Users mailing list