[dns-operations] eliminating stub resolvers
jim at rfc1035.com
Wed Oct 3 08:30:36 UTC 2012
On 3 Oct 2012, at 02:42, Vernon Schryver wrote:
>>> Why not get rid of stub resolvers completely and simply use
>>> recursive resolvers?
> I think the code to parse the BIND9 configuration grammar and nothing
> more would be excessive and grotesque. The code to support all of
> that stuff would be obscene.
The code for BIND9's config file goop is not so bad compared to other
parts of its internals: it's about the same size as validator.c (which
has no crypto code) for instance.
> Of course, if the only available code for your situation is BIND, then
> you could use BIND with a tiny configuration file.
Yeah. It should even be possible to have a validating resolver using
automatic rollover for the One True Trust Anchor without any config
file at all. IIRC, that's pretty much what the almost ignored lwresd
does. Though please don't assume I want to exhume lwresd. :-)
> The package would be smaller than current Firefox binaries that send
> me running and
> screaming in horror.
I'm sure someone, somewhere is working on a DNS server that is every
bit as scary as that bloated train wreck.
PS: I changed the Subject: header since we're no longer discussing
attacks on Brazil's DNS.
More information about the dns-operations