2014-04-26 0:51 GMT+02:00 Chuck Anderson <cra@xxxxxxx>:
> Main goal is to have local DNSSEC-validating resolver.
I, as the OP, did not intend that as the goal, although I have no
problem with that as a different goal. My intent was to fix the
atrocious failover behavior of the glibc resolver. I also don't mind
using a caching resolver BUT there should be a better stub resolver
that can be widely deployed in a default configuration that doesn't
require a local caching resolver to paper over its deficiencies.
Maybe nscd (and some of the other ideas in the link I posted) are part
of the solution.
Basically, we aren't going to win the war by suggesting that everyone
should run a DNSSEC-validating resolver everywhere.
Right now I'd actually guess that it's more likely to have a DNSSEC-validating resolver soon, than the simple caching daemon you propose. Specific people are already dedicated to working on the former, and the principal elements of the solution already exist; what is left is (a large amount of) integration work. And that will also inherently handle the caching/failover case "for free".
OTOH the caching daemon initiative would require new research, probably new implementation, and about the same large amount of integration work (currently unstaffed for that project)—and then doing the integration all over again when we do decide deploy DNSSEC.
OTOH the caching daemon initiative would require new research, probably new implementation, and about the same large amount of integration work (currently unstaffed for that project)—and then doing the integration all over again when we do decide deploy DNSSEC.
Mirek
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
