[dns-operations] resolvers considered harmful
phill at hallambaker.com
Thu Oct 23 18:27:01 UTC 2014
On Thu, Oct 23, 2014 at 2:00 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Oct 23, 2014, at 10:29 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
> > On Thu, Oct 23, 2014 at 07:25:46AM -0700, Paul Hoffman wrote:
> >> Speaking as someone who supports all end systems to be their own
> validating recursive resolver.
> > "Validating" I get. Why recursive?
> That's a fair question. I'm much more interested in validating than
> recursive. I don't believe that enough upstream resolvers will reliably get
> the end system answers that can be validated, so the validating end system
> will have to be able to be a recursive some of the time anyway. I suppose
> it would be better to have the end system be a "validating
> stub-but-recursor-when-necessary", but that seems weird. Maybe it isn't.
I would like to push you back to 'validating records that matter to the
application layer like DANE and security policy records.'
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations