[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
Paul Vixie
paul at vix.com
Tue May 27 04:51:59 UTC 2008
> > You do not get answers that failed to validate.
>
> This is, I believe, the problem. Instead of getting an indication that
> validation failed, you get the same response you'd get if someone unplugged
> your router. This will result in support calls which will result in caching
> server operators turning off DNSSEC.
not that this is the right mailing list for this part of the discussion
(see namedroppers at ops.ietf.org), but, i agree.
> > If you want to process answers that failed to validate set CD=1 and
> > DO=1 and provide the application with its own trust anchors. The
> > application is then fully DNSSEC aware.
>
> You forgot the part about the application having an actual validator
> embedded in it. As you are no doubt aware, validators are non-trivial hunks
> of code (with all that entails).
i am especially concerned about the amount of duplicated backbone and
authority server traffic if every app on every host has its own full
resolver which is a building block of such a validator. right now we
tend to cache at least at the host level and often at the LAN level.
if we go to an "every app for itself" model, i fear the provisioning.
More information about the dns-operations
mailing list