[dns-operations] resolvers considered harmful

Mark Andrews marka at isc.org
Thu Oct 23 23:17:05 UTC 2014

In message <D06ED0EF.E5C56%jason_livingood at cable.comcast.com>, "Livingood, Jaso
n" writes:
> On 10/23/14, 1:36 PM, "Paul Vixie" <paul at redbarn.org> wrote:
> >BIND9 runs fine on windows and macos laptops. so, without even touching
> >the real growth area of the edge (which is mobile devices like smart
> >phones)
> Too add to your thought, Paul, also stuff like smart TVs, thermostats,
> security cameras, appliance modules, etc. (IoT stuff with very minimal
> capabilities in most cases).

DNSSEC does NOT require a lot if CPU.  Added DNSSEC validation is
quite possible to all these devices.  Some of them already do more
expensive crypto than DNSSEC requires.

I've also run a validating recursive server on my laptops for years
since well before the root was signed.  The hardest thing to deal
with is the stupid "transparent" DNS caching servers.  They are not
"transparent".  They do not deal with non recursive queries.  They
do not deal with TSIG or SIG(0).

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list