[Users] freeS/WAN + DNSSec support

Specifically I’d like to know how freeS/WAN supports the 2 scenarios proposed in http://perso.ens-lyon.fr/dominique.ponsard/ACTES/7_securite/paper.121.pdf. That paper is french but I will explain the point here, so there’s no need for reading the paper.

One solution to fetch the key and have it verified for authentication is to put a module in freeS/WAN that can do the verification of the authenticy of the keys and materials stored in DNSSec.

The second one is to let the DNS cache do the verification and establishing an ipsec channel between the host and the DNS cache with the A-bit (« authenticated data ») on.

So, does freeS/WAN support these 2 solutions and to what extent ?

I thought it might be usefull to take a look in the section about opportunistic encryption. I found there no specific answer except that OE relies on the principle of storing info and public keys in DNS. About authentication of dns data (DNSSec), I found « this authentication/authorization is only as strong as your DNS is secure. " I understand, but the use of DNSSec does still need one of the two above proposed solutions (which the ipsec software must support if DNSSec is used).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Other searches on « secure dns » and « dnssec » in the freeS/WAN docs didn’t give me much usefull information about this issue.

Greetings,

Tim Vissers