Re: security.debian.org requires IPv4

To: Teddy Hogeborn <teddy@recompile.se>
Cc: debian-ipv6@lists.debian.org
Subject: Re: security.debian.org requires IPv4
From: Bjørn Mork <bjorn@mork.no>
Date: Thu, 28 Sep 2017 16:53:40 +0200
Message-id: <[🔎] 87r2uqyivf.fsf@miraculix.mork.no>
In-reply-to: <[🔎] 87fub6gauf.fsf@recompile.se> (Teddy Hogeborn's message of "Thu, 28 Sep 2017 16:24:24 +0200")
References: <[🔎] 87zi9fl497.fsf@recompile.se> <[🔎] 87zi9eykir.fsf@miraculix.mork.no> <[🔎] 87fub6gauf.fsf@recompile.se>

Teddy Hogeborn <teddy@recompile.se> writes:

> DNSSEC does not have any security between the resolver and client; the
> only reasonable response is to run the resolver locally.  On an
> IPv6-only host, this will result in an IPv6-only resolver.

I don't necessarily agree with your conlusion. The security depends on
the level of trust you have in the network between the client and the
resolver. "locally" does not necessarily imply "on the same host",
although I do see that it might.

In any case, even if we assume that you have to run a resolver on the
IPv6 only host, this resolver can (and *should* IMHO) forward queries to
another caching resolver. Doing DNSSEC validation is not affected by the
depth of the cache hierarchy.

Running resolvers querying authoritative servers directly on every host
on the Internet would be insane.  It will not scale.  DNSSEC does not
require this, and never has.  Please don't make such assumptions.

Bjørn

Reply to:

References:
- security.debian.org requires IPv4
  - From: Teddy Hogeborn <teddy@recompile.se>
- Re: security.debian.org requires IPv4
  - From: Bjørn Mork <bjorn@mork.no>
- Re: security.debian.org requires IPv4
  - From: Teddy Hogeborn <teddy@recompile.se>

Prev by Date: Re: security.debian.org requires IPv4
Previous by thread: Re: security.debian.org requires IPv4
Index(es):
- Date
- Thread