On Apr 23, 2009, at 5:34 AM, Shane Kerr wrote:
Not really true. Many people think that the validating resolver
should
be on the host itself.
Many? I can only dream.
This would use DNSSEC to secure even the last mile.
Presumably it would still forward queries to a nearby recursive
resolver, so there would be some shared caching going on?
You could do that, sure. It would be a reasonable optimization, but I
don't expect it actually necessary (one could look at the amount of
crap hitting the root servers). However the point is that you need to
do the validation someplace you can talk securely to. The easiest
answer is to simply do the validation on the same host.
I figure stub resolvers were needed when cpu/bandwidth/memory were a
bit more expensive than now. It seems a shame to constrain our
architecture to the '80s...
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
