Re: hat tip to .gov hostmasters

• From: Florian Weimer
• Date: Mon Sep 22 11:15:47 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

* Simon Vallet:

>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?
>
> You do -- and last time I checked few native resolvers actually did :
> glibc doesn't, and I'd be surprised if the Windows resolver does

Windows doesn't.  To my knowledge, there aren't any deployed
valdiating, security-aware stub resolvers.  Your best bet is to run
BIND or Unbound locally with appropriate trust anchors, and use that
as the system's resolver.  With modern LRU-based caches which are
efficient even at smallish sizes, this isn't much of a problem.

-- 
Florian Weimer                <[email protected]>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

• References:
  • hat tip to .gov hostmasters Scott Francis
  • Re: hat tip to .gov hostmasters Jason Frisvold
  • Re: hat tip to .gov hostmasters Simon Vallet

• Prev by Date: RE: hat tip to .gov hostmasters
• Next by Date: RE: hat tip to .gov hostmasters
• Date Index
• Thread Index
• Author Index
• Historical