From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.23.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.jhcloos.com", Issuer "CA Cert Signing Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 0086621F25F for ; Fri, 2 May 2014 09:55:12 -0700 (PDT) Received: by ore.jhcloos.com (Postfix, from userid 10) id A467A1DD13; Fri, 2 May 2014 16:55:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1399049711; bh=KuZgsGgz1/HYXpjo5pSb+FpyaUQ5B1IQ39LZIP14fyY=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=bT2dJ3aYDXAY84dbiWn5/vynmx7HQqwTHfrA7uwyd7L7iPKvQ8prlLWTobmoOkD/t zhk3eCv/CFQZm0UqK1HehGNDk19iBfFf6y22XkyQlmRkRF+Eh93bQ+fNMTDEGmk+IW F8bYGjBb4lFrxg2gI6r8LyP5CliLYVfXCa2gIoEM= Received: by carbon.jhcloos.org (Postfix, from userid 500) id 655736001D; Fri, 2 May 2014 16:40:16 +0000 (UTC) From: James Cloos To: Simon Kelley In-Reply-To: <536293E0.6070508@thekelleys.org.uk> (Simon Kelley's message of "Thu, 01 May 2014 19:35:12 +0100") References: <535EACCB.7090104@thekelleys.org.uk> <20140428232459.GA55372@redoubt.spodhuis.org> <535FA793.8020502@thekelleys.org.uk> <20140429205757.GA70801@redoubt.spodhuis.org> <536293E0.6070508@thekelleys.org.uk> User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.4.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2014 James Cloos OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Fri, 02 May 2014 12:40:16 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Hashcash: 1:30:140502:simon@thekelleys.org.uk::jBfpUNkxqB5CU/no:0000000000000000000000000000000000000TePat X-Hashcash: 1:30:140502:dave.taht@gmail.com::WepjmOiThHhpjEuq:00000000000000000000000000000000000000000qNRot X-Hashcash: 1:30:140502:jg@freedesktop.org::/4qFoxTDXfUPpAEc:0000000000000000000000000000000000000000001HgWA X-Hashcash: 1:30:140502:dnsmasq-discuss@lists.thekelleys.org.uk::oizsubvuMhbccOsl:000000000000000000000DtHtc X-Hashcash: 1:30:140502:"cerowrt-devel\@lists.bufferbloat.net"::1tob7yIBjBvxY/2C:0000000000000000000000AaaTZ X-Hashcash: 1:30:140502:cerowrt-devel@lists.bufferbloat.net::OwbFMQcOFpG7ROM+:0000000000000000000000000ETK4U Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 16:55:13 -0000 >>>>> "SK" == Simon Kelley writes: SK> A valid point, but "every leaf system has to be a recursor" is not a SK> pleasant outcome of widely implementing DNSSEC. >From a security POV, every system needs its own local verifier, and every administrative domain needs its own recursor. Optimally every system will have its own validating recursor. SK> I wonder, do the browser-based validators suffer from this, or are SK> they recursors under the hood? They are full validating recursors. Often using libunbound to do the heavy lifting. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6