[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Paul Vixie paul at vix.com
Tue May 27 17:32:36 UTC 2008

> > ok so that's what i meant when i said building per-application caches
> > would be expensive, compared to per-host or per-LAN caches.
> 	The only additional traffic is between the application and the
> 	local caching resolver.  The wide area traffic does not change.

thanks for explaining.  i'm still concerned.  that's a hell of a lot of
transactions between my workstation and the company's RDNS every time i type a
command in a shell where it has to do a DNS lookup.  and as DRC pointed out
it's a lot of complexity for what should be a "stub".  there is no way to
scale DNSSEC to worldwide universal use under this model, if for no other
reason than the problems the industry will have supporting it.  the first and
last mile for a stub resolver has to be (a) secure and (b) capable of
expressing validation failures apart from resolution failures.

More information about the dns-operations mailing list