[getdns-api] Stub vs. recursive, DNSSEC, and design goals for this API

Evan Hunt each at isc.org
Wed Jan 30 10:46:34 MST 2013

On Wed, Jan 30, 2013 at 05:07:26PM +0000, Tony Finch wrote:
> SIG(0) and TSIG are useful when the client and server have some kind
> of trust relationship. But the client doesn't need to trust its recursor
> very much if it is doing its own DNSSEC validation.

Correct.  These would only come into play if you wanted to offload the
work of validation to another server, and use only the minimum amount of
crypto processing necessary to trust your connection to that other server.

> I don't believe it is necessary for a validator to be a recursor: a stub
> can validate replies from a minimally-trusted recursor (received via a
> minimally-trusted network) provided the recursor is at least
> security-aware.

I agree.

> It probably is necessary for a validator to have a cache.

Not strictly necessary, but it would certainly improve the efficiency.

(Digression: I recall hearing some discussion a few years back of a
proposed EDNS(0) option that would enable a stub or forwarder to ask
a resolver for all the records establishing the chain of trust from a
specified root to the QNAME -- so, for example, if you were asking for
www.example.com/A and already had com/DNSKEY in cache, you'd query
for www.example.com/A with root "com", and the resolver would return
example.com/DS, example.com/DNSKEY, www.example.com/A and all the
associated RRSIGs in a single response.  I don't know what happened
to that proposal; it sounds rather useful to me.)

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the getdns-api mailing list