[dns-operations] security-aware stub resolver
Jelte Jansen
jelte at NLnetLabs.nl
Thu May 22 13:17:06 UTC 2008
Joe Abley wrote:
>
> The impression I have arrived at is that in practical terms there is
> no security-aware stub resolver in circulation, and that anybody
> interested in failure modes following DNSSEC deployment only needs to
> worry about the use-case where a non-security-aware stub resolver is
> talking to a non-security-aware resolver, and the case where such a
> stub resolver is talking to a validating resolver.
>
just to be clear; you are talking about a stub resolver that knows
enough about DNSSEC (and DNS in general) to create it's own chain from a
trusted key to the data it needs (including passing all delegations),
and verify that?
I don't think that anyone has ever gotten any further than specifying a
possible API for something like that. Unless you count (lib)unbound, but
that is indeed a full resolver. On the other hand, an actual
dnssec-aware stub would probably also look a whole lot like a full resolver.
Jelte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080522/ca3bfce8/attachment.sig>
More information about the dns-operations
mailing list