[dns-operations] DNS at FOSDEM 2016

Tony Finch dot at dotat.at
Thu Feb 4 10:52:52 UTC 2016

Robert Edmonds <edmonds at mycre.ws> wrote:
> I'm confused at the comments in other parts of the thread about BIND and
> Unbound already existing, which are not stub resolvers.  Probably
> BIND9's lwresd when combined with nss-lwres would qualify as a stub
> resolver, but I believe the nss-lwres component isn't part of BIND9 but
> rather a third party developer's (unmaintained?) project.

lwresd is a strange beast. AIUI it is basically full-fat BIND, despite the
claim in the man page that it is "stripped down" (named and lwresd are
hard links to the same binary). The difference from more common setups is
the protocol between the resolver library and the name server is like
an encoding of the resolver API, rather than the DNS protocol.

If anything is lightweight it is the lwres library which has a lot less
DNS in it. But afaik it never got adopted by any libc.

> I came to the conclusion that you would want to split the stub resolver
> so that the crypto operations can be done in an isolated process, which
> incidentally appears to be the exact split the systemd developers have
> arrived at in their systemd-resolved / nss-resolve split.  (The two
> components communicate locally over the D-Bus protocol.)

Not a million miles from the way lwresd is supposed to work. It has a
teeny bit of DNSSEC support in the RRSET_VALIDATED result flag from

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Fair Isle: Variable 4, becoming southeast 5 to 7, veering south or southwest 6
to gale 8 later. Moderate or rough, becoming very rough in southwest. Rain at
times. Good, occasionally poor.

More information about the dns-operations mailing list