[getdns-api] some early API comments

Evan Hunt each at isc.org
Tue Jan 22 10:00:41 MST 2013

> This is likely well-trod ground in the DNS world.  I apologize in advance.

No worries.

> So, why would I ever want to trust the upstream infrastructure as an
> application?

Valid question.

The short answer is you might *not* want to, and for that matter I might
not either, but DNS does provide a mechanism for it and IMHO a complete DNS
API ought to provde access to the mechanism. (Which this one may have done,
but I missed it.)

More substantively: embedded systems, in particular, may find it desirable
not to replicate code or work, and may wish to full advantage of a local
cache; also, I can imagine situations in which an application developer
could expect updates to be infrequent and wouldn't want to be stuck
using an outdated or buggy crypto library.  Suppose ECDSA-signed DNS
records come along and your resolver knows how to validate them but
your application doesn't?  Security's always about tradeoffs.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the getdns-api mailing list