[dns-operations] security-aware stub resolver

Edward Lewis Ed.Lewis at neustar.biz
Thu May 22 20:01:23 UTC 2008

At 19:31 +0000 5/22/08, Paul Vixie wrote:

>i think it's important that applications be dnssec aware.  i don't know the
>exact signalling used to tell an app that an answer was validated,

I wonder about that, I don't know if I agree after all the water has 
gone under the bridge.  That's an issue that has dogged us for a long 
time.  Part of me says that DNSSEC was only about protecting the 
DNSSEC transfers across the network.  Part of me says that apps ought 
to know the quality of the data they use.  DNS is sometimes referred 
to as infrastructure, lower layer.  But it too is an application 
layer beast.  This is the struggle that lead up to the debacle that 
was the SIKED BoF (http://www.ietf.org/proceedings/02mar/165.htm) in 
Minneapolis, 2002.  Sorry, no info at the link above.

Starting with Berkeley Sockets, we've never had a good API for 
feeding back trouble.  (How can you tell if it is safe to write()? 
You have to do a read() first.)  Back in the day, we (during the 
TISLabs days) could never agree on the proper return codes for 
anything other than the perfect case.  Whether or not an app should 
know - what could we give it, and what should the app do with it?
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list