BIND chroot environment in 10-RELEASE...gone?

Mark Andrews marka at isc.org
Sat Dec 7 20:59:11 UTC 2013 

In message <52A2CC82.7000101 at bluerosetech.com>, Darren Pilgrim writes:
> On 12/6/2013 6:18 PM, Michael Sinatra wrote:
> > Not every website uses https, but it is VERY useful and important that
> > 100% of the browsers out there support https.  That way, the
> > client/server interactions that need https can get https.  If I want
> > clients to access my site over https, I simply have to put a cert on my
> > website and configure it to force the clients to do the right thing.
> 
> You are absolutely right--we need DNSSEC validation in everything.  But 
> mapping your web browser analogy to DNS, we only need the library 
> providing getaddrinfo() to validate responses.  BIND or Unbound on 
> everything is equivalent to running a caching web proxy on everything. 
> We'd end up with about the same amount of brokenness and stale data 
> issues as well.

Which assumes that a remote common validating cache + local validating
stub resolver will perform better that a local common validating
cache and a mix if local validating applications and non validation
applications.

The jury is still out on which will give the best performance.  I
do know what will have the smaller packet count on the machine.
The local common validating cache.

Note you can't avoid having the cache validate.  DNSSEC will not
work though a cache when it is under a attack if the cache does not
validate.  Additionally the cache should have a super set of all
trust anchors used by the clients.  Also with a local cache you
have a common understanding of the current time which simplifies
things even if you still need to code for the cache having a different
time reference.

> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the freebsd-stable mailing list