[dns-operations] security-aware stub resolver

Jelte Jansen jelte at NLnetLabs.nl
Thu May 22 13:17:06 UTC 2008


Joe Abley wrote:
> 
> The impression I have arrived at is that in practical terms there is  
> no security-aware stub resolver in circulation, and that anybody  
> interested in failure modes following DNSSEC deployment only needs to  
> worry about the use-case where a non-security-aware stub resolver is  
> talking to a non-security-aware resolver, and the case where such a  
> stub resolver is talking to a validating resolver.
> 

just to be clear; you are talking about a stub resolver that knows
enough about DNSSEC (and DNS in general) to create it's own chain from a
trusted key to the data it needs (including passing all delegations),
and verify that?

I don't think that anyone has ever gotten any further than specifying a
possible API for something like that. Unless you count (lib)unbound, but
that is indeed a full resolver. On the other hand, an actual
dnssec-aware stub would probably also look a whole lot like a full resolver.

Jelte

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080522/ca3bfce8/attachment.sig>


More information about the dns-operations mailing list