[Cerowrt-devel] Full blown DNSSEC by default?

Aaron Wood woody77 at gmail.com
Mon Apr 14 05:29:23 EDT 2014

> So far as I know the caching functionality in dnsmasq in that instance
> is disabled due to fears about cache poisoning, that I don't fully
> understand. My half understood fear translates into equivalent fears
> for other local dns daemons.

Which isn't near the issue that application-level caching is.  It seems to
be slowly getting better, but I've seen numerous apps (especially in
embedded space) cache resolved addresses seemingly forever.  We found this
at my day-job when dealing with dns-based failover between servers.

I greatly prefer to disable application-layer caching entirely, and rely on
a central caching resolver like dnsmasq in those environments (where we're
running local to dnsmasq, so it's very fast).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140414/3207b322/attachment-0002.html>

More information about the Cerowrt-devel mailing list