[Dnssec-deployment] DNSSEC aware recursive name servers

[David Conrad]

On Aug 5, 2011, at 4:03 PM, Paul Vixie wrote:
>> Absolutely. I didn't say anything about where the cache lives. Right
>> now, if you want to rely on the cache, then you pretty much have to
>> manage it yourself.
> 
> i'm not sure that i want a cache everywhere, where "cache" can mean more
> storage than even a postmodern smart phone should have to use for this

A "postmodern smart phone" should use whatever resources is necessary to provide its user with the performance and security the user requires.  Today, my smartphone has 512MB of RAM. The FreeBSD server I use to run a validating resolver also has 512MB RAM.  My FreeBSD server actually has less non-volatile storage than my smartphone.

The issue of device capacity is a red herring.  

> and can also mean the need for the same type of "clear path DNS" that a
> full recursive name server needs to have, which is increasingly rare in
> the networks my smartphone will be able to join.

The future smartphone network you're imagining is one in which "clear path DNS" is disallowed while a secure channel for stub DNS RPC with magic OPT RRs is allowed?  Really?

You want ubiquitous DNSSEC?  Get it out of the server ghetto and get it mainstreamed and actually useful on devices non-geeks use.  Coming up with new secure channels just means new ways in which folks who want to control resolution will break things.

Regards,
-drc