[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Paul Vixie paul at vix.com
Tue May 27 04:51:59 UTC 2008

> > 	You do not get answers that failed to validate.
> This is, I believe, the problem.  Instead of getting an indication that
> validation failed, you get the same response you'd get if someone unplugged
> your router.  This will result in support calls which will result in caching
> server operators turning off DNSSEC.

not that this is the right mailing list for this part of the discussion
(see namedroppers at ops.ietf.org), but, i agree.

> > 	If you want to process answers that failed to validate set CD=1 and
> > 	DO=1 and provide the application with its own trust anchors.  The
> > 	application is then fully DNSSEC aware.
> You forgot the part about the application having an actual validator
> embedded in it.  As you are no doubt aware, validators are non-trivial hunks
> of code (with all that entails).

i am especially concerned about the amount of duplicated backbone and 
authority server traffic if every app on every host has its own full
resolver which is a building block of such a validator.  right now we
tend to cache at least at the host level and often at the LAN level.
if we go to an "every app for itself" model, i fear the provisioning.

More information about the dns-operations mailing list