[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

David Conrad drc at virtualized.org
Tue May 27 13:48:12 UTC 2008


On May 27, 2008, at 5:33 AM, Blacka, David wrote:
> To be clear, what the validating stub needs to cache is validated,
> trusted DNSKEYs (and, if desired, trusted DS RRs), since it is the one
> determining that they are trusted.  Otherwise, it would have to build
> the trust chain down from the trust anchor every time.

What would be the advantage of having a caching validated stub  
resolver as opposed to having a full validating caching resolver and  
using some form of more intelligent IPC to obtain information from  
that caching resolver?

> But, keep in mind that this cache isn't anything like as large as a
> normal resolver cache.

I'm confused.  Wouldn't it need to do pretty much everything a full  
validating caching resolver would need to do?


More information about the dns-operations mailing list