[dns-operations] resolvers considered harmful

Mark Allman mallman at icir.org
Thu Oct 23 03:10:40 UTC 2014

It is a terminology issue, I think.

> Perhaps I'm being unclear and/or we're having a terminology
> mismatch. To be concrete: are you suggesting that (a) every
> application on an 'endpoint' provide its own iterative resolution, (b)
> the 'end point' effectively runs an iterative caching resolver at
>, or (c) something else? 


Or, all of them!

The implementation does not matter to me.  An app could just run "dig
+short" for all I care.  My point is that this is an entirely internal
matter to the host.  Unlike the case of a shared resolver there is no
requirement that it accept any lookup request from outside the box.

> > All I am saying is that the resolver cannot do its job without
> > accepting requests from other hosts.
> As a person who frequently runs unbound listening only to on
> my laptop, we may have differing opinions of the scope of the job of a
> resolver. 

I should---as I hope we do in the paper---be careful and use the term
'shared resolver' for something outside the host itself.

> My point was that to definitively fix resolver-to-authoritative,
> you're going to need something like DNSSEC.

Yes- absolutely.  E.g., just because a client does the name lookup
instead of handing to a shared resolver isn't going to make the great
firewall any less likely to forge a response.  So, I don't mean to in
any way say DNSSEC isn't useful.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/504b8c04/attachment.sig>

More information about the dns-operations mailing list