Result is better than I thought!

An article in CircleID reference a report [PDF] by Core Competence and Nominet that talk about support of DNSSEC in routers for residential use.

The report point out problems some of those routers have, specifically in their NAT and Firewall functionality, if the end user behind this router do issue queries that request DNSSEC signed data back.

What one have to remember is that the normal setup (as is said in some comments to the CircleID post) is that these queries are not sent in the first place. Instead queries are sent to the DNS resolver on the outside of the firewall/nat, and then that box is doing the DNSSEC verification. There is an implicit trust between the box sending the initial query and the resolver on the outside.

Sure, in the future, also the boxes on the inside with start verifying DNSSEC signed data, but, not today, and I am pretty sure these boxes will be updated and have such features tomorrow. All of them, and not only the ones that do have such features already.

As I say in the title of this post, I think the result was good. I am positively surprised over the high level of DNS functionality that exists in these tiny boxes that, once again, is for residential use.

Updated: It seems the meetings in Geneva make me more tired than what I thought. I am now looking into more of the details of the report, and it seems to be worse than what I thought at first. I will of course update when I finally made up my mind on this…