I could not help but think about whether the idea behind "convergence" [1], something I stumbled upon recently, could help in this DNS resolver fundamental issue. The former is an attempt to solve the SSL CA issue, by eliminating them altogether, and replacing them with a mean for the client to confirm their perspective of the world with multiple other observers... Thought this could be the same for DNS.... I am getting 1.2.3.4 for mybank.com, What do you guys get?
Thanks, Mohamed. [1]: http://convergence.io/details.html On Wed, Oct 3, 2012 at 4:30 AM, Jim Reid <[email protected]> wrote: > On 3 Oct 2012, at 02:42, Vernon Schryver wrote: > >>>> Why not get rid of stub resolvers completely and simply use recursive >>>> resolvers? >> >> >> I think the code to parse the BIND9 configuration grammar and nothing >> more would be excessive and grotesque. The code to support all of >> that stuff would be obscene. > > > The code for BIND9's config file goop is not so bad compared to other parts > of its internals: it's about the same size as validator.c (which has no > crypto code) for instance. > >> Of course, if the only available code for your situation is BIND, then >> you could use BIND with a tiny configuration file. > > > Yeah. It should even be possible to have a validating resolver using > automatic rollover for the One True Trust Anchor without any config file at > all. IIRC, that's pretty much what the almost ignored lwresd does. Though > please don't assume I want to exhume lwresd. :-) > >> The package would be smaller than current Firefox binaries that send me >> running and >> screaming in horror. > > > I'm sure someone, somewhere is working on a DNS server that is every bit as > scary as that bloated train wreck. > > PS: I changed the Subject: header since we're no longer discussing attacks > on Brazil's DNS. > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
