nanog mailing list archives
Re: DNSSEC and SSL
From: Tony Finch <dot () dotat at>
Date: Mon, 23 Aug 2010 15:49:52 +0100
On Sun, 22 Aug 2010, Mans Nilsson wrote:
OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND suite. Calling it from applications does however mean using new API calls; since the traditional resolver API is oblivious to DNSSEC.
lwresd is in fact a full service resolver, though it is designed for forward-only usage. Although its man page says it is "stripped-down", it is in fact just the normal named binary running in a mode with a simple canned configuration that gets its forwarders from /etc/resolv.conf. AIUI, lwresd was originally conceived to deal with the original IPv6 DNS support (A6 records and binary labels). It would need quite a lot of re-working in the lwres client library (and possibly also the lwres protocol) to provide proper DNSSEC support. Tony. -- f.anthony.n.finch <dot () dotat at> http://dotat.at/ GERMAN BIGHT: CYCLONIC, BECOMING SOUTHWEST, GALE 8 TO STORM 10, INCREASING VIOLENT STORM 11 FOR A TIME. ROUGH OR VERY ROUGH. RAIN OR SQUALLY SHOWERS. MODERATE OR POOR.
Current thread:
- DNSSEC and SSL ML (Aug 21)
- Re: DNSSEC and SSL Gary Buhrmaster (Aug 21)
- Re: DNSSEC and SSL Mikael Abrahamsson (Aug 21)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL Mans Nilsson (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Wes Hardaker (Aug 23)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Curtis Maurand (Aug 23)
- Re: DNSSEC and SSL Doug Barton (Aug 23)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Jakob Schlyter (Aug 23)
- Re: DNSSEC and SSL Barry Shein (Aug 23)