> From: Paul Vixie <p...@redbarn.org> > To: David Conrad <d...@virtualized.org> > CC: Vernon Schryver <v...@rhyolite.com>, dns-operations@lists.dns-oarc.net
> >> The only reasonable solution is to give stub resolvers some of the > >> features of recursive resolvers including DNSSEC validation and caching > >> to make the costs of DNSSEC tolerable. > > Why not get rid of stub resolvers completely and simply use recursive > > resolvers? I think the code to parse the BIND9 configuration grammar and nothing more would be excessive and grotesque. The code to support all of that stuff would be obscene. As far as only DNSSEC is concerned, you don't need a lot of the complications that a real authority server needs. (e.g. special NSEC3 database trees or lists to make big zones less slow.) Of course, if the only available code for your situation is BIND, then you could use BIND with a tiny configuration file. The package would be smaller than current Firefox binaries that send me running and screaming in horror. > there's an urban legend about how the authority servers depend on > caching by intermediate recursives and that if every end system had its > own recursive server on board the authorities would melt. > real traffic it might get the dreck percentage down to 80% but it > wouldn't melt anything. No matter how over-provisioned authority servers are, I don't understand why making stubbs more like real resolvers should increase traffic to authority servers. Why couldn't you do the equivalent of moving the DNS servers named in the system's equivalent of /etc/resolv.conf to the equivalent of a BIND forwarders{} statement and putting "localhost" into resolv.conf? A full featured DNS server can't bypass men in the middle any more than a bare bones DNSSEC validating caching forwarder. There's no security reason to go to the real authority servers if your local DNS servers are corrupt. The bad guys who corrupted them can attack your DNS traffic going outside. All you can reliably do is detect evil, and only if you can somehow get the root key. Detecting evil is often enough of the battle. In many (but certainly not all) cases, the bad guys react to sunshine like other vampires. In the other cases, you can choose to not play the game by their rules or at all. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs