[129020] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (Curtis Maurand)
Mon Aug 23 11:05:44 2010
Date: Mon, 23 Aug 2010 11:03:56 -0400
From: Curtis Maurand <cmaurand@xyonet.com>
To: nanog@nanog.org
In-Reply-To: <20100822195727.GA26860@besserwisser.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8/22/2010 3:57 PM, Mans Nilsson wrote:
> a DNSSEC capable stub resolver not in the cards?
> The best option today is to run a full-service resolver on the host;
> which is a tad heavy for most desktops, not to speak about the cache
> misses that would cause root server system load. The latter of course
> can be avoided by setting forwarders.
>
> OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
> suite. Calling it from applications does however mean using new API
> calls; since the traditional resolver API is oblivious to DNSSEC.
>
PowerDNS resolver. Very fast, very light.
--Curtis
