On 18/08/2021 01.49, Paul Ebersman wrote:
DNS is a complicated, esoteric knowledge set. The reason apps, middleware and various other boxes mucking with DNS in transit tend to suck is exactly because the programmers on those boxes don't have this expertise and make all sorts of bad assumptions about what is safe/sane.
I typically put the blame on them trying to dissect what they don't understand instead of using some library or tool that does. OK, perhaps the toolset could be improved, but I don't think we can make the DNS *protocol* itself easy (not anymore; maaaybe after a big incompatible redesign but who dares to push for that).
It's similar to why you should not code TLS yourself, though there it's more obvious that you'll be prone to security bugs.
--Vladimir | knot-resolver.cz _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
