Simo Sorce <[email protected]> wrote:
>> For this reason, I think that applications should not set or depend
>> upon the AD bit, even if the resolver is ::1. They either understand
>> DNS(SEC), or they use an API call way more sophisticated than
>> getaddrinfo() to do their connections. Java had the right idea, but
>> the implementation and error reporting was very poor.
> Nothing in this proposal prevents you from doing that for applications
> you care about. OTOH forcing applications to a completely new API by
> refusing this proposal on your grounds will guarantee less applications
> will use DNSSEC. And DNSEC support will rapidly fragment making
> system-wide management a lot more difficult. I think that prospect is a
> much worse evil.
If I understand what you are saying, you are worried that different
applications will make up different DNSSEC APIs, and each application will
have different controls.
I am not opposed to centralized DNSSEC resolution (whether on the same host,
or via a trusted channel). It's that I am dissastified with "SERVFAIL"
as the only indication of a problem...
--
Michael Richardson
-on the road-
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
