[dns-operations] resolvers considered harmful

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 23 18:27:01 UTC 2014


On Thu, Oct 23, 2014 at 2:00 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

> On Oct 23, 2014, at 10:29 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
> wrote:
> >
> > On Thu, Oct 23, 2014 at 07:25:46AM -0700, Paul Hoffman wrote:
> >> Speaking as someone who supports all end systems to be their own
> validating recursive resolver.
> >
> > "Validating" I get.  Why recursive?
>
> That's a fair question. I'm much more interested in validating than
> recursive. I don't believe that enough upstream resolvers will reliably get
> the end system answers that can be validated, so the validating end system
> will have to be able to be a recursive some of the time anyway. I suppose
> it would be better to have the end system be a "validating
> stub-but-recursor-when-necessary", but that seems weird. Maybe it isn't.
>

I would like to push you back to 'validating records that matter to the
application layer like DANE and security policy records.'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/01ae02a4/attachment.html>


More information about the dns-operations mailing list