[dns-operations] security-aware stub resolver
jelte at NLnetLabs.nl
Thu May 22 13:17:06 UTC 2008
Joe Abley wrote:
> The impression I have arrived at is that in practical terms there is
> no security-aware stub resolver in circulation, and that anybody
> interested in failure modes following DNSSEC deployment only needs to
> worry about the use-case where a non-security-aware stub resolver is
> talking to a non-security-aware resolver, and the case where such a
> stub resolver is talking to a validating resolver.
just to be clear; you are talking about a stub resolver that knows
enough about DNSSEC (and DNS in general) to create it's own chain from a
trusted key to the data it needs (including passing all delegations),
and verify that?
I don't think that anyone has ever gotten any further than specifying a
possible API for something like that. Unless you count (lib)unbound, but
that is indeed a full resolver. On the other hand, an actual
dnssec-aware stub would probably also look a whole lot like a full resolver.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 252 bytes
Desc: OpenPGP digital signature
More information about the dns-operations