[dns-operations] eliminating stub resolvers

Jim Reid jim at rfc1035.com
Wed Oct 3 08:30:36 UTC 2012

On 3 Oct 2012, at 02:42, Vernon Schryver wrote:

>>> Why not get rid of stub resolvers completely and simply use  
>>> recursive resolvers?
> I think the code to parse the BIND9 configuration grammar and nothing
> more would be excessive and grotesque.    The code to support all of
> that stuff would be obscene.

The code for BIND9's config file goop is not so bad compared to other  
parts of its internals: it's about the same size as validator.c (which  
has no crypto code) for instance.

> Of course, if the only available code for your situation is BIND, then
> you could use BIND with a tiny configuration file.

Yeah. It should even be possible to have a validating resolver using  
automatic rollover for the One True Trust Anchor without any config  
file at all. IIRC, that's pretty much what the almost ignored lwresd  
does. Though please don't assume I want to exhume lwresd. :-)

> The package would be smaller than current Firefox binaries that send  
> me running and
> screaming in horror.

I'm sure someone, somewhere is working on a DNS server that is every  
bit as scary as that bloated train wreck.

PS: I changed the Subject: header since we're no longer discussing  
attacks on Brazil's DNS.

More information about the dns-operations mailing list