[Dnssec-deployment] DNSSEC aware recursive name servers

Michael Richardson mcr at sandelman.ca
Wed Aug 10 09:28:25 EDT 2011

>>>>> "Tony" == Tony Finch <dot at dotat.at> writes:
    >> What I meant was a local validating resolver that is running on
    >> the same device where the stub is running along with a cache
    >> (that can be shared by other processes) that operates in
    >> recursive mode rather than iterative mode.  The signaling to "do
    >> DNSSEC validation" is a matter of passing some extra flags in the
    >> API. For this to work, the recursive server has to do the right
    >> thing. This is why I started this thread. It is hard to come by a
    >> recursive server that is DNSSEC aware.

    Tony> I think that BIND's lwresd should be brought back to life to
    Tony> do the job you describe. That is, use the lwres protocol
    Tony> between libc and the local validating cache. This would also
    Tony> make it easier to experiment with passing richer DNSSEC
    Tony> results from the validator.


More information about the Dnssec-deployment mailing list