[dns-operations] security-aware stub resolver
David Conrad
drc at virtualized.org
Thu May 22 19:48:46 UTC 2008
Joe,
On May 22, 2008, at 11:25 AM, Joe Abley wrote:
> I had assumed that the "DNSSEC deployed" world would involve stub
> resolvers setting RD=1 and DO=1, and validators setting DO=1, and
> authority-only servers serving up security information. You seem to be
> saying that the final utopia in your mind looks different.
I personally believe the correct answer here is that stub resolvers go
away, being replaced with validating caching resolvers. Most of the
historical rationale that drove stub resolvers, namely client-side CPU
and memory limitations have long since been resolved (pun intended).
Bandwidth could be a consideration, although multi-layer caching/
forwarding architectures could address this.
As we've seen repeatedly, unless you run your own caching server, you
can't really trust the response. Particularly if you rely on your
ISP...
Regards,
-drc
More information about the dns-operations
mailing list