[Cerowrt-devel] Full blown DNSSEC by default?
Aaron Wood
woody77 at gmail.com
Mon Apr 14 05:29:23 EDT 2014
>
> So far as I know the caching functionality in dnsmasq in that instance
> is disabled due to fears about cache poisoning, that I don't fully
> understand. My half understood fear translates into equivalent fears
> for other local dns daemons.
Which isn't near the issue that application-level caching is. It seems to
be slowly getting better, but I've seen numerous apps (especially in
embedded space) cache resolved addresses seemingly forever. We found this
at my day-job when dealing with dns-based failover between servers.
I greatly prefer to disable application-layer caching entirely, and rely on
a central caching resolver like dnsmasq in those environments (where we're
running local to dnsmasq, so it's very fast).
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140414/3207b322/attachment-0002.html>
More information about the Cerowrt-devel
mailing list