2014-04-26 0:51 GMT+02:00 Chuck Anderson <c...@wpi.edu>:
> > Main goal is to have local DNSSEC-validating resolver.
>
> I, as the OP, did not intend that as the goal, although I have no
> problem with that as a different goal. My intent was to fix the
> atrocious failover behavior of the glibc resolver. I also don't mind
> using a caching resolver BUT there should be a better stub resolver
> that can be widely deployed in a default configuration that doesn't
> require a local caching resolver to paper over its deficiencies.
> Maybe nscd (and some of the other ideas in the link I posted) are part
> of the solution.
>
> Basically, we aren't going to win the war by suggesting that everyone
> should run a DNSSEC-validating resolver everywhere.
Right now I'd actually guess that it's more likely to have a
DNSSEC-validating resolver soon, than the simple caching daemon you
propose. Specific people are already dedicated to working on the former,
and the principal elements of the solution already exist; what is left is
(a large amount of) integration work. And that will also inherently handle
the caching/failover case "for free".
OTOH the caching daemon initiative would require new research, probably new
implementation, and about the same large amount of integration work
(currently unstaffed for *that* project)—and then doing the integration all
over again when we do decide deploy DNSSEC.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
