[dns-operations] security-aware stub resolver

David Conrad drc at virtualized.org
Thu May 22 19:48:46 UTC 2008


On May 22, 2008, at 11:25 AM, Joe Abley wrote:
> I had assumed that the "DNSSEC deployed" world would involve stub
> resolvers setting RD=1 and DO=1, and validators setting DO=1, and
> authority-only servers serving up security information. You seem to be
> saying that the final utopia in your mind looks different.

I personally believe the correct answer here is that stub resolvers go  
away, being replaced with validating caching resolvers.  Most of the  
historical rationale that drove stub resolvers, namely client-side CPU  
and memory limitations have long since been resolved (pun intended).   
Bandwidth could be a consideration, although multi-layer caching/ 
forwarding architectures could address this.

As we've seen repeatedly, unless you run your own caching server, you  
can't really trust the response.  Particularly if you rely on your  


More information about the dns-operations mailing list