To:
David Blacka <davidb@verisignlabs.com>
cc:
dnssec@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Tue, 11 May 2004 19:13:14 -0400
In-Reply-To:
Message from David Blacka <davidb@verisignlabs.com> of "Tue, 11 May 2004 17:02:16 EDT." <200405111702.16059.davidb@verisignlabs.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "David" == David Blacka <davidb@verisignlabs.com> writes:
David> I am curious as to what sort of local channel you expect SASR
David> to talk to the SAFR (to use your abbrev.)? Why do you expect
right now:
127.0.0.1:53 or 127.0.0.1:953
I'd like to use Unix domain socket instead, although chroot(2)s make
that more difficult. Unix domain sockets would have 2^31 limit on packet
size, I think.
David> it to be something other than DNS with TSIG? I would posit
David> that most of the time, the SAFR will not be on the same host,
David> just a full resolvers are usually not on the same host as the
David> stub.
I think that with DNSSEC, that running a local caching resolver will
become more useful. (Sun has "nscd", for instance)
Right now, pretty much every application that does a lot of DNS has a
cache built in. (i.e. web browser). Many of these caches do not respect
TTL at all, and rather than upgrading the cache, it makes more sense to
centralize things.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKFeCYqHRg3pndX9AQHArgQA4qGdHCJAGgCnqZK9fqejGpQQ2CUcrSyW
UUdw5K0bvVILbj2xxoZ7eYOYxltoHcgjVLYsgB10tVGawj9MpE1YtP42B/AAqIeX
NdRjKGbIKgbnRqy0vgQACP+EcdThXt6nA2JIjFAfzKVK5psrLoZRLBhAB9TKdXRT
NyULVinyoGM=
=OF3P
-----END PGP SIGNATURE-----