> FWIW, when adding DANE support to Postfix, it was plainly obvious
> that DNSSEC validation belongs in the local resolver, and Postfix
> just needs to trust its "AD" bit.  The only thing missing from the
> traditional libresolv API is some way for the application to specify
> the resolver address list from the application (as "127.0.0.1"
> and/or "::1").  Some systems have a newer stub API (res_nquery,
> ...), but this API is not yet sufficiently universal.

For me (not DANE, but SSHFP, not a lot of difference) it was very clear that
an interface like getdns is a lot better than sending DNS packets to localhost
and hope that something will do the right thing.

Obviously, getdns could be implemented by talking to a local recursive
resolver. But that's just an implementation detail.


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to