[dns-operations] eliminating stub resolvers

Robert Edmonds edmonds at isc.org
Wed Oct 3 18:46:08 UTC 2012

Jim Reid wrote:
> Yeah. It should even be possible to have a validating resolver using
> automatic rollover for the One True Trust Anchor without any config
> file at all. IIRC, that's pretty much what the almost ignored lwresd
> does. Though please don't assume I want to exhume lwresd. :-)

a while back i experimented with interfacing the libunbound validating
resolver library with the glibc name service switch (similar to


it loads trust anchors at startup, so trust anchor rollover works as
long as some external process updates the TA file.

there are some problems with this approach (not the least of which are
that the results get returned to the caller through an API that doesn't
indicate the validation status, or loading openssl into every process
that calls the C resolver), but the surprising thing is that it even
works at all.

Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list