> FWIW, when adding DANE support to Postfix, it was plainly obvious > that DNSSEC validation belongs in the local resolver, and Postfix > just needs to trust its "AD" bit. The only thing missing from the > traditional libresolv API is some way for the application to specify > the resolver address list from the application (as "127.0.0.1" > and/or "::1"). Some systems have a newer stub API (res_nquery, > ...), but this API is not yet sufficiently universal.
For me (not DANE, but SSHFP, not a lot of difference) it was very clear that an interface like getdns is a lot better than sending DNS packets to localhost and hope that something will do the right thing. Obviously, getdns could be implemented by talking to a local recursive resolver. But that's just an implementation detail. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop