[dns-operations] security-aware stub resolver

David Conrad drc at virtualized.org
Fri May 23 05:30:20 UTC 2008


On May 22, 2008, at 3:20 PM, Tony Finch wrote:
> Even if everything is running on a single host you need a protocol  
> between
> client applications and the host's DNS cache. It might as well  
> continue to
> be the stub resolver protocol.

You're right, I was too vague in terminology. I meant stub resolution  
to untrustworthy caches (e.g., what I suspect most folks on the  
Internet today do: trust whatever their ISP gives them) and the stub  
resolver (i.e., res_*) as it exists today should go away.  The former  
probably doesn't need further explanation.  On the latter, if you have  
all the information in a local cache, it isn't clear to me that using  
the DNS protocol to obtain the values (including validation  
information) associated with a domain name makes a whole lot of sense.  
The DNS protocol is painfully klunky to do that sort of local IPC...


More information about the dns-operations mailing list