[107993] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Sep 22 11:15:50 2008
To: Simon Vallet <nanog@castalie.org>
From: Florian Weimer <fweimer@bfk.de>
Date: Mon, 22 Sep 2008 17:13:25 +0200
In-Reply-To: <20080922165937.62377b74@mlejnas.priv.castalie.org> (Simon
Vallet's message of "Mon, 22 Sep 2008 16:59:37 +0200")
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
* Simon Vallet:
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?
>
> You do -- and last time I checked few native resolvers actually did :
> glibc doesn't, and I'd be surprised if the Windows resolver does
Windows doesn't. To my knowledge, there aren't any deployed
valdiating, security-aware stub resolvers. Your best bet is to run
BIND or Unbound locally with appropriate trust anchors, and use that
as the system's resolver. With modern LRU-based caches which are
efficient even at smallish sizes, this isn't much of a problem.
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
