[getdns-api] some early API comments

Evan Hunt each
Tue Jan 22 18:00:41 CET 2013


> This is likely well-trod ground in the DNS world.  I apologize in advance.

No worries.

> So, why would I ever want to trust the upstream infrastructure as an
> application?

Valid question.

The short answer is you might *not* want to, and for that matter I might
not either, but DNS does provide a mechanism for it and IMHO a complete DNS
API ought to provde access to the mechanism. (Which this one may have done,
but I missed it.)

More substantively: embedded systems, in particular, may find it desirable
not to replicate code or work, and may wish to full advantage of a local
cache; also, I can imagine situations in which an application developer
could expect updates to be infrequent and wouldn't want to be stuck
using an outdated or buggy crypto library.  Suppose ECDSA-signed DNS
records come along and your resolver knows how to validate them but
your application doesn't?  Security's always about tradeoffs.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the spec mailing list