To:
dnssec@cafax.se
From:
Rob Austein <sra@hactrn.net>
Date:
Mon, 10 May 2004 13:57:21 -0400
In-Reply-To:
<200405101041.53316.davidb@verisignlabs.com>
Sender:
owner-dnssec@cafax.se
User-Agent:
Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)
Subject:
Re: dnssec: resolver - application communication
At Mon, 10 May 2004 10:41:53 -0400, David Blacka wrote: > > On Monday 10 May 2004 9:23 am, Miek Gieben wrote: > >... > > This essentially leads to the case whereby every application will do it's > > own validation. When you are validating DNSSEC data, it is very handy to > > directly talk to the authoritative server. Thus this, in turn, will lead to > > increased pounding on the authoritative servers on the Internet. Most > > notably the secure entry points, which will be root in some future. In > > short: this will most probably break the DNS. > > I'm not sure I agree here. Why would validating stub resolvers (a term I'm > using for the "application") wish to talk directly to the authoritative > servers? In particular, what does the validating stub resolver need from the authoritative name servers that it can't get via recursive name servers by setting the CD bit?