[getdns-api] some early API comments
Joe Hildebrand jhildebr
jhildebr
Tue Jan 22 08:26:20 CET 2013
This is likely well-trod ground in the DNS world. I apologize in advance.
On 1/21/13 7:33 PM, "Evan Hunt" <each at isc.org> wrote:
>And, applications don't always want to do their own crypto. If my
>resolver
>is validating, and I trust it, and I trust that there's no MITM between me
>and it, then I may prefer to let *it* handle the crypto and tell me what
>it
>learned.
Even in the case where I theoretically could trust my DNS infrastructure
(inside my cloud deployment), I'm still unlikely to do so when CPU on the
application boxes is relatively cheap. Anything I trust is a potential
attacker.
For end-users, trusting your upstream resolver for DNSSEC seems foolhardy
to save a couple of CPU cycles and a little code that's probably going to
be on your box anyway.
So, why would I ever want to trust the upstream infrastructure as an
application?
--
Joe Hildebrand
More information about the spec
mailing list