[dns-operations] security-aware stub resolver

Paul Vixie paul at vix.com
Thu May 22 17:57:14 UTC 2008


a "security-aware stub resolver" would be a "cacheless validator" and i'm
sure i wouldn't like its network behaviour.  validation requires access to
all signatures and keys between an rrset under test and a trust anchor, and
thus benefits tremendously from a local cache.  adding a local cache to a
stub resolver that is not otherwise going to traverse zone cuts and will
therefore not be receiving DS RRsets as a side effect, means a lot ofdelay in
every validation, and a lot of extra traffic.  the model therefore calls for
a stub to use TSIG to reach a normal caching validator.  this is what routers
and browsers should be doing when they need secure DNS.



More information about the dns-operations mailing list