[dns-operations] resolvers considered harmful
mallman at icir.org
Thu Oct 23 03:10:40 UTC 2014
It is a terminology issue, I think.
> Perhaps I'm being unclear and/or we're having a terminology
> mismatch. To be concrete: are you suggesting that (a) every
> application on an 'endpoint' provide its own iterative resolution, (b)
> the 'end point' effectively runs an iterative caching resolver at
> 127.0.0.1/::1, or (c) something else?
Or, all of them!
The implementation does not matter to me. An app could just run "dig
+short" for all I care. My point is that this is an entirely internal
matter to the host. Unlike the case of a shared resolver there is no
requirement that it accept any lookup request from outside the box.
> > All I am saying is that the resolver cannot do its job without
> > accepting requests from other hosts.
> As a person who frequently runs unbound listening only to 127.0.0.1 on
> my laptop, we may have differing opinions of the scope of the job of a
I should---as I hope we do in the paper---be careful and use the term
'shared resolver' for something outside the host itself.
> My point was that to definitively fix resolver-to-authoritative,
> you're going to need something like DNSSEC.
Yes- absolutely. E.g., just because a client does the name lookup
instead of handing to a shared resolver isn't going to make the great
firewall any less likely to forge a response. So, I don't mean to in
any way say DNSSEC isn't useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 180 bytes
Desc: not available
More information about the dns-operations