On Mon, Mar 20, 2017 at 09:06:40PM -0400, Ted Lemon wrote:
> On Mar 20, 2017, at 8:48 PM, Viktor Dukhovni <[email protected]> wrote:
> > FWIW, when adding DANE support to Postfix,
>
> The homenet use case is completely different. Here we are talking about
> devices that routinely roam among operational domains with no basis for
> trust or even knowledge of the trustworthiness of the local resolver.
When I say "local", I don't mean on a nearby node on the local
network, I mean the loopback interface, i.e. a process on the same
device.
What's attractive here, is that real resolvers (local to the same
device) already have the requisite feature-set, and there's no need
to augment stub resolvers with features already handled by local
recursive resolvers. If a device is too dumb to run a separate
resolver process, I don't expect it'll have a trustworthy DNSSEC
implementation in its stub resolver.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
