On 11/22/21 12:09 PM, Joel M Snyder via mailop wrote:
I've got a free caching resolver in my edge firewall, but it needs some upstream resolvers to query.
And what if it didn't need upstream resolvers because it was a recursive resolver in and of itself?
To your other points about maintenance, you're already maintaining the resolver in your edge firewall.
I can't make a good argument for anything other than open resolvers.
I think the argument is dependent on your preference and the need in each specific case.
Aside: Microsoft's Active Directory and it's DNS requirements come to mind. -- Last I checked, it was still considered good that this information wasn't open to the public / Internet DNS infrastructure.
The question for me is WHICH open resolvers.
Is it?Do you /need/ to choose an open resolver if the caching resolver built into your edge firewall is recursive?
Aside: While we're enhancing the caching resolver that's built into your edge firewall, let's also have it do DNSSEC validation.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop