To:
dnssec@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Thu, 13 May 2004 14:51:18 +0200
Content-Disposition:
inline
In-Reply-To:
<20040510175721.662ED42B2@thrintun.hactrn.net>
Mail-Followup-To:
dnssec@cafax.se
Sender:
owner-dnssec@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: dnssec: resolver - application communication
[On 10 May, @19:57, Rob wrote in "Re: dnssec: resolver - applica ..."] > > On Monday 10 May 2004 9:23 am, Miek Gieben wrote: > > >... > > > This essentially leads to the case whereby every application will do it's > > > own validation. When you are validating DNSSEC data, it is very handy to > > > directly talk to the authoritative server. Thus this, in turn, will lead to > > > increased pounding on the authoritative servers on the Internet. Most > > > notably the secure entry points, which will be root in some future. In > > > short: this will most probably break the DNS. > > > > I'm not sure I agree here. Why would validating stub resolvers (a term I'm > > using for the "application") wish to talk directly to the authoritative > > servers? > > In particular, what does the validating stub resolver need from the > authoritative name servers that it can't get via recursive name > servers by setting the CD bit? Nothing, I now think everything can be done by toggling the CD bit. thanks, Miek