[getdns-api] some early API comments

Joe Hildebrand (jhildebr) jhildebr at cisco.com
Tue Jan 22 00:26:20 MST 2013


This is likely well-trod ground in the DNS world.  I apologize in advance.

On 1/21/13 7:33 PM, "Evan Hunt" <each at isc.org> wrote:

>And, applications don't always want to do their own crypto.  If my
>resolver
>is validating, and I trust it, and I trust that there's no MITM between me
>and it, then I may prefer to let *it* handle the crypto and tell me what
>it
>learned.

Even in the case where I theoretically could trust my DNS infrastructure
(inside my cloud deployment), I'm still unlikely to do so when CPU on the
application boxes is relatively cheap.  Anything I trust is a potential
attacker.

For end-users, trusting your upstream resolver for DNSSEC seems foolhardy
to save a couple of CPU cycles and a little code that's probably going to
be on your box anyway.

So, why would I ever want to trust the upstream infrastructure as an
application?

-- 
Joe Hildebrand






More information about the getdns-api mailing list