[dns-operations] security-aware stub resolver
drc at virtualized.org
Fri May 23 05:30:20 UTC 2008
On May 22, 2008, at 3:20 PM, Tony Finch wrote:
> Even if everything is running on a single host you need a protocol
> client applications and the host's DNS cache. It might as well
> continue to
> be the stub resolver protocol.
You're right, I was too vague in terminology. I meant stub resolution
to untrustworthy caches (e.g., what I suspect most folks on the
Internet today do: trust whatever their ISP gives them) and the stub
resolver (i.e., res_*) as it exists today should go away. The former
probably doesn't need further explanation. On the latter, if you have
all the information in a local cache, it isn't clear to me that using
the DNS protocol to obtain the values (including validation
information) associated with a domain name makes a whole lot of sense.
The DNS protocol is painfully klunky to do that sort of local IPC...
More information about the dns-operations