[Dnssec-deployment] validation and/or recursion at the edge device

[Jim Reid]

On 7 Aug 2011, at 18:00, David Conrad wrote:

> Somewhat as an aside, it'd be interesting to examine what impact a  
> local resolver would have on bandwidth.  That is, whether the local  
> caching (particularly of DNSSEC-related junk) would outweigh the  
> bandwidth requirements needed to do the recursion.  However, even in  
> wireless, I'm not sure how critical a resource bandwidth will be in  
> the future (LTE/WiMAX/etc).

Considering how much mobile operators are able to extort for moving  
bits around, bandwidth usage is (and probably always will be) a  
critical resource in many environments. :-(

I wonder too what you mean by "local resolver". Is it a stub (bad IMO)  
or something with a cache that's available to everything on the device  
(good IMO)?

Although this is not specifically a DNSSEC deployment issue, remember  
the damage a widely used application with a misbehaving stub can do.  
Particularly to the root server infrastructure.

Once upon a time I looked after an intranet's backbone name servers.  
One site was running DNS servers that didn't do negative cacheing --  
this was a long time ago -- and they were pounding on the central  
servers asking over and over for the same non-existent name(s).  
Clearly some local applications wouldn't take NXDOMAIN for an answer  
and went into an infinite loop asking the same question.