[dns-operations] resolvers considered harmful
Mark Allman
mallman at icir.org
Thu Oct 23 03:10:40 UTC 2014
It is a terminology issue, I think.
> Perhaps I'm being unclear and/or we're having a terminology
> mismatch. To be concrete: are you suggesting that (a) every
> application on an 'endpoint' provide its own iterative resolution, (b)
> the 'end point' effectively runs an iterative caching resolver at
> 127.0.0.1/::1, or (c) something else?
(c)
Or, all of them!
The implementation does not matter to me. An app could just run "dig
+short" for all I care. My point is that this is an entirely internal
matter to the host. Unlike the case of a shared resolver there is no
requirement that it accept any lookup request from outside the box.
> > All I am saying is that the resolver cannot do its job without
> > accepting requests from other hosts.
>
> As a person who frequently runs unbound listening only to 127.0.0.1 on
> my laptop, we may have differing opinions of the scope of the job of a
> resolver.
I should---as I hope we do in the paper---be careful and use the term
'shared resolver' for something outside the host itself.
> My point was that to definitively fix resolver-to-authoritative,
> you're going to need something like DNSSEC.
Yes- absolutely. E.g., just because a client does the name lookup
instead of handing to a shared resolver isn't going to make the great
firewall any less likely to forge a response. So, I don't mean to in
any way say DNSSEC isn't useful.
allman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/504b8c04/attachment.sig>
More information about the dns-operations
mailing list