[Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
James Cloos
cloos at jhcloos.com
Fri May 2 12:40:16 EDT 2014
>>>>> "SK" == Simon Kelley <simon at thekelleys.org.uk> writes:
SK> A valid point, but "every leaf system has to be a recursor" is not a
SK> pleasant outcome of widely implementing DNSSEC.
>From a security POV, every system needs its own local verifier, and every
administrative domain needs its own recursor. Optimally every system will
have its own validating recursor.
SK> I wonder, do the browser-based validators suffer from this, or are
SK> they recursors under the hood?
They are full validating recursors. Often using libunbound to do the
heavy lifting.
-JimC
--
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
More information about the Cerowrt-devel
mailing list