[getdns-api] some early API comments
Evan Hunt
each
Tue Jan 22 18:00:41 CET 2013
> This is likely well-trod ground in the DNS world. I apologize in advance.
No worries.
> So, why would I ever want to trust the upstream infrastructure as an
> application?
Valid question.
The short answer is you might *not* want to, and for that matter I might
not either, but DNS does provide a mechanism for it and IMHO a complete DNS
API ought to provde access to the mechanism. (Which this one may have done,
but I missed it.)
More substantively: embedded systems, in particular, may find it desirable
not to replicate code or work, and may wish to full advantage of a local
cache; also, I can imagine situations in which an application developer
could expect updates to be infrequent and wouldn't want to be stuck
using an outdated or buggy crypto library. Suppose ECDSA-signed DNS
records come along and your resolver knows how to validate them but
your application doesn't? Security's always about tradeoffs.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the spec
mailing list