[dns-operations] security-aware stub resolver
drc at virtualized.org
Thu May 22 19:48:46 UTC 2008
On May 22, 2008, at 11:25 AM, Joe Abley wrote:
> I had assumed that the "DNSSEC deployed" world would involve stub
> resolvers setting RD=1 and DO=1, and validators setting DO=1, and
> authority-only servers serving up security information. You seem to be
> saying that the final utopia in your mind looks different.
I personally believe the correct answer here is that stub resolvers go
away, being replaced with validating caching resolvers. Most of the
historical rationale that drove stub resolvers, namely client-side CPU
and memory limitations have long since been resolved (pun intended).
Bandwidth could be a consideration, although multi-layer caching/
forwarding architectures could address this.
As we've seen repeatedly, unless you run your own caching server, you
can't really trust the response. Particularly if you rely on your
More information about the dns-operations