[129017] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Aug 23 10:50:05 2010
Date: Mon, 23 Aug 2010 15:49:52 +0100
From: Tony Finch <dot@dotat.at>
To: Mans Nilsson <mansaxel@besserwisser.org>
In-Reply-To: <20100822195727.GA26860@besserwisser.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 22 Aug 2010, Mans Nilsson wrote:
>
> OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
> suite. Calling it from applications does however mean using new API
> calls; since the traditional resolver API is oblivious to DNSSEC.
lwresd is in fact a full service resolver, though it is designed for
forward-only usage. Although its man page says it is "stripped-down", it
is in fact just the normal named binary running in a mode with a simple
canned configuration that gets its forwarders from /etc/resolv.conf.
AIUI, lwresd was originally conceived to deal with the original IPv6 DNS
support (A6 records and binary labels). It would need quite a lot of
re-working in the lwres client library (and possibly also the lwres
protocol) to provide proper DNSSEC support.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
GERMAN BIGHT: CYCLONIC, BECOMING SOUTHWEST, GALE 8 TO STORM 10, INCREASING
VIOLENT STORM 11 FOR A TIME. ROUGH OR VERY ROUGH. RAIN OR SQUALLY SHOWERS.
MODERATE OR POOR.
