[dns-operations] resolvers considered harmful

[Andrew Sullivan]

On Thu, Oct 23, 2014 at 11:00:31AM -0700, Paul Hoffman wrote:
> 
> That's a fair question. I'm much more interested in validating than
> recursive. I don't believe that enough upstream resolvers will
> reliably get the end system answers that can be validated, so the
> validating end system will have to be able to be a recursive some of
> the time anyway.

What is certainly true is that a validating stub that needs missing
DNSSEC data will have to go get it, and this makes it considerably
less stubby.  But there are two things to keep in mind.

First, at least some recursive resolvers are going to do the right and
useful thing when they get CD=1, because they'll also do validation
themselves (even if they pass on bogus data), and they'll cache the
resulting data needed for validation.

Second, that cached data itself can then be used by others also.
Indeed, with the larger RRset sizes of DNSSEC-signed data, there's a
good argument to be made that caches become _more_ important, not
less.

Best regards,

A
-- 
Andrew Sullivan
ajs at anvilwalrusden.com