[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Paul Wouters paul at nohats.ca
Sun Mar 11 13:46:19 EDT 2012

On Sun, 11 Mar 2012, Niccolò Belli wrote:

> Server Y ---[internet]--- Gateway+resolver [B] ---[lan]--- Client [A]
> A wants to connect to Y. B is in front of A since it is its gateway. B is 
> also its nameserver.
> 1) A asks for y.com
> 2) since B is its resolver it gets the A/AAAA record
> 3) B queries for IPSECKEY record for y.com
> 4) if received, unbound runs an ipsec whack command that pushes the IP from 
> the A/AAAA record with the IPSECKEY obtained RSA key into pluto
> 5) pluto loads the policy, meaning it will %trap packets to the IP
> 6) B releases the A/AAAA to A
> 7) A sends a packet to Y, it travels in clear in the local network until it 
> reaches B
> 8) B initiates an IKE connection and sets up an IPsec SA
> 9) connection is setup encrypted from B to Y while it's still in clear from A 
> to B (but I don't care since the local network is trusted)

Right, this works in the same way, as long as the gateway is also the
resolver. However, there is a layer of NAT here. The tunnel would be a
host to host tunnel between Y and B, and A would get SNAT'ed to B before
going through the tunnel to Y. A difficulty here is if A actually
supports this natively, it will ALSO try to setup a tunnel to Y,
which\likely won't work because there is already a tunnel for "B" on Y.

>> Note that you need DLV enabled because fedora's registrar does not
>> support DNSSEC yet.
> So that's the problem since I commented out DLV. I did it because I think the 
> real solution is domain transfer, not DLV.

While I agree, that solution is not within my power :)


More information about the Users mailing list