Teddy Hogeborn <[email protected]> writes: > DNSSEC does not have any security between the resolver and client; the > only reasonable response is to run the resolver locally. On an > IPv6-only host, this will result in an IPv6-only resolver.
I don't necessarily agree with your conlusion. The security depends on the level of trust you have in the network between the client and the resolver. "locally" does not necessarily imply "on the same host", although I do see that it might. In any case, even if we assume that you have to run a resolver on the IPv6 only host, this resolver can (and *should* IMHO) forward queries to another caching resolver. Doing DNSSEC validation is not affected by the depth of the cache hierarchy. Running resolvers querying authoritative servers directly on every host on the Internet would be insane. It will not scale. DNSSEC does not require this, and never has. Please don't make such assumptions. Bjørn
