[dns-operations] security-aware stub resolver
Paul Vixie
paul at vix.com
Thu May 22 17:57:14 UTC 2008
a "security-aware stub resolver" would be a "cacheless validator" and i'm
sure i wouldn't like its network behaviour. validation requires access to
all signatures and keys between an rrset under test and a trust anchor, and
thus benefits tremendously from a local cache. adding a local cache to a
stub resolver that is not otherwise going to traverse zone cuts and will
therefore not be receiving DS RRsets as a side effect, means a lot ofdelay in
every validation, and a lot of extra traffic. the model therefore calls for
a stub to use TSIG to reach a normal caching validator. this is what routers
and browsers should be doing when they need secure DNS.
More information about the dns-operations
mailing list