From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 7E4D021F129 for ; Mon, 14 Apr 2014 02:29:24 -0700 (PDT) Received: by mail-ig0-f180.google.com with SMTP id c1so3147892igq.1 for ; Mon, 14 Apr 2014 02:29:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Lrm+vG9MkWIANGCpGq0sSg0LhlZorB2UE03s7FTSS+Q=; b=0yJkvCqQd7tl1DyRC1Oo+I4WvJehU1J813UWedeWSbAITOmaNpZb8VYm7qv7o/eDZN YMk2TZzRokVK6r3RvZ71M16vwCZhtNaoDy/GWij5VhPDTCyzan5WoizNcrxEHm5Ykp3/ FQmJ81OfQpXz/siVESQZaxQI0y56gSD9diyaKMx0sNVj7BHqTNG9Z/Pu801tPX1t2W+H exNLWDaeE81ZChVwVjetfWhL4HWJJd8QrckCur/LOZecn3Ns6PaVmGYywl2gauQ9ut04 NjapG6PIE3PZj+a1l/tOtRAKSiMtPTFuQDaBdRwR6gxaIhK5sf/Jt49LxloKLsXMondO lOEA== MIME-Version: 1.0 X-Received: by 10.50.109.130 with SMTP id hs2mr14381020igb.29.1397467763437; Mon, 14 Apr 2014 02:29:23 -0700 (PDT) Received: by 10.64.238.70 with HTTP; Mon, 14 Apr 2014 02:29:23 -0700 (PDT) In-Reply-To: References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> Date: Mon, 14 Apr 2014 11:29:23 +0200 Message-ID: From: Aaron Wood To: Dave Taht Content-Type: multipart/alternative; boundary=089e0111bc9aa0119404f6fd5137 Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 09:29:24 -0000 --089e0111bc9aa0119404f6fd5137 Content-Type: text/plain; charset=UTF-8 > > So far as I know the caching functionality in dnsmasq in that instance > is disabled due to fears about cache poisoning, that I don't fully > understand. My half understood fear translates into equivalent fears > for other local dns daemons. Which isn't near the issue that application-level caching is. It seems to be slowly getting better, but I've seen numerous apps (especially in embedded space) cache resolved addresses seemingly forever. We found this at my day-job when dealing with dns-based failover between servers. I greatly prefer to disable application-layer caching entirely, and rely on a central caching resolver like dnsmasq in those environments (where we're running local to dnsmasq, so it's very fast). -Aaron --089e0111bc9aa0119404f6fd5137 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
So far as I know the caching functionality in dn= smasq in that instance
is disabled due to fears about cache poisoning, that I don't fully
understand. My half understood fear translates into equivalent fears
for other local dns daemons.

Which isn'= t near the issue that application-level caching is. =C2=A0It seems to be sl= owly getting better, but I've seen numerous apps (especially in embedde= d space) cache resolved addresses seemingly forever. =C2=A0We found this at= my day-job when dealing with dns-based failover between servers.

I greatly prefer to disable application-layer caching e= ntirely, and rely on a central caching resolver like dnsmasq in those envir= onments (where we're running local to dnsmasq, so it's very fast).<= /div>

-Aaron=C2=A0
--089e0111bc9aa0119404f6fd5137--