[getdns-api] some early API comments

Phil Pennock getdns-api-phil at spodhuis.org
Tue Jan 22 11:13:11 MST 2013


On 2013-01-22 at 07:26 +0000, Joe Hildebrand (jhildebr) wrote:
> So, why would I ever want to trust the upstream infrastructure as an
> application?

Isolation of concerns, decomposability, ability to impose security
barriers.

Given the sheer number of security updates for problems with DNSSEC in
Bind, Unbound, etc, it's clear that even with world-leading expertise,
it's hard to get this right.

If all the DNSSEC logic is encapsulated inside a dedicated resolver,
then you just need to replace the resolver.

If all the DNSSEC logic is also embedded into every application that
uses DNS, you need to replace every application that uses DNSSEC;
hopefully it's just a library update, but it still is going to cause
dependency issues, change management issues, etc etc.

For most of my career, I've been a professional sysadmin/SRE.  As
someone responsible for the lifecycle of an entire system, I'd *far*
rather see the complexity and security-impacting decisions of something
exposed to data from the outside world via UDP constrained to one
service, running as a uid with no access rights to sensitive data, and
then talk to that service via a separate link, whether it's a generic
RPC mechanism or regular DNS, perhaps with TSIG for certainty if it's
not on localhost.

-Phil


More information about the getdns-api mailing list