On Tue, Apr 1, 2014 at 6:39 AM, Phillip Hallam-Baker <hal...@gmail.com>wrote:
> On Tue, Apr 1, 2014 at 9:05 AM, Nicholas Weaver <nwea...@icsi.berkeley.edu > > wrote: > >> Lets assume a typical day of 1 billion external lookups for a major ISP >> centralized resolver, and that all are verified. Thats less 1 CPU core-day >> to validate every DNSSEC lookup that day at 2048b keys. >> > > > Yes, I agree, but you are proposing a different DNSSEC model to the one > they believe in. > > The DNS world has put all their eggs into the DNSSEC from Authoritative to > Stub client model. They only view the Authoritative to Resolver as a > temporary deployment hack. > I think even in the imagined future of validating stub resolvers, there's still value in centralized caching; it speeds up lookup times. There's no sense in intermediates caching bad answers, especially since it can lead to denial of service, so there's still some value in validating centrally too. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop