[Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

James Cloos cloos at jhcloos.com
Fri May 2 12:40:16 EDT 2014

>>>>> "SK" == Simon Kelley <simon at thekelleys.org.uk> writes:

SK> A valid point, but "every leaf system has to be a recursor" is not a
SK> pleasant outcome of widely implementing DNSSEC.

>From a security POV, every system needs its own local verifier, and every
administrative domain needs its own recursor.  Optimally every system will
have its own validating recursor.

SK> I wonder, do the browser-based validators suffer from this, or are
SK> they recursors under the hood?

They are full validating recursors.  Often using libunbound to do the
heavy lifting.

James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

More information about the Cerowrt-devel mailing list