[Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

James Cloos cloos at jhcloos.com
Fri May 2 09:40:16 PDT 2014


>>>>> "SK" == Simon Kelley <simon at thekelleys.org.uk> writes:

SK> A valid point, but "every leaf system has to be a recursor" is not a
SK> pleasant outcome of widely implementing DNSSEC.

>From a security POV, every system needs its own local verifier, and every
administrative domain needs its own recursor.  Optimally every system will
have its own validating recursor.

SK> I wonder, do the browser-based validators suffer from this, or are
SK> they recursors under the hood?

They are full validating recursors.  Often using libunbound to do the
heavy lifting.

-JimC
--
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6


More information about the Cerowrt-devel mailing list