[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

[Paul Vixie]

> > ok so that's what i meant when i said building per-application caches
> > would be expensive, compared to per-host or per-LAN caches.
> 
> 	The only additional traffic is between the application and the
> 	local caching resolver.  The wide area traffic does not change.

thanks for explaining.  i'm still concerned.  that's a hell of a lot of
transactions between my workstation and the company's RDNS every time i type a
command in a shell where it has to do a DNS lookup.  and as DRC pointed out
it's a lot of complexity for what should be a "stub".  there is no way to
scale DNSSEC to worldwide universal use under this model, if for no other
reason than the problems the industry will have supporting it.  the first and
last mile for a stub resolver has to be (a) secure and (b) capable of
expressing validation failures apart from resolution failures.