Petr Spacek <[email protected]> writes: > It seems that almost everyone agree that local validating resolver is the > best option.
I failed to pipe up before, unfortunately. But, no I don't agree that's the best solution. The reality is that in some cases we're making *security decisions* based on the results of a flag that we're not 100% sure of the source. Without doing something like replacing the system library's notion of even looking at resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure that the bit you get back is actually trustable. If the default install of the OS does the right thing, who's to say it'll stay that way. As an application author who might want absolute assurance that DNSSEC was done (because I'm bootstrapping TLS or SSH or ... off of it), then my ideal situation is to have a local resolver for caching purposes, but to actually do validation in-application. -- Wes Hardaker Parsons _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
