On Thu, 20 Apr 2017, Evan Hunt wrote:
Once again, the recursive resolver needn't be built in. It only has to be accessible -- via resolv.conf, for example.
Mmmm, populating auth servers based on at most an AD bit of something from resolv.conf. Which more and more people are just pointing to 8.8.8.8. I don't think that's a good idea. Maybe some good software and an internal-only ANAME special record with a secure DNS helper app isn't too bad after all. But again, if done well, would not require ANAME to ever go over the wire. I think we've circled sufficiently around now that I'll step back and let others chime in. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop