[getdns-api] some early API comments

Joe Hildebrand (jhildebr) jhildebr at cisco.com
Tue Jan 22 11:20:43 MST 2013


On 1/22/13 11:13 AM, "Phil Pennock" <getdns-api-phil at spodhuis.org> wrote:

>If all the DNSSEC logic is encapsulated inside a dedicated resolver,
>then you just need to replace the resolver.
>
>If all the DNSSEC logic is also embedded into every application that
>uses DNS, you need to replace every application that uses DNSSEC;
>hopefully it's just a library update, but it still is going to cause
>dependency issues, change management issues, etc etc.

As an application developer, I can never get the resolver replaced.  Ever.
 I can't control what other applications do, nor do I care.  I *can*
update my applications at will, and for some of those applications force
people to take upgrades before accessing a service I care about.

>For most of my career, I've been a professional sysadmin/SRE.  As
>someone responsible for the lifecycle of an entire system, I'd *far*
>rather see the complexity and security-impacting decisions of something
>exposed to data from the outside world via UDP constrained to one
>service, running as a uid with no access rights to sensitive data, and
>then talk to that service via a separate link, whether it's a generic
>RPC mechanism or regular DNS, perhaps with TSIG for certainty if it's
>not on localhost.

Multiple layers of security are fine.

-- 
Joe Hildebrand






More information about the getdns-api mailing list