From owner-freebsd-stable@FreeBSD.ORG  Sat Dec  7 07:21:57 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D0E10F2A
 for <freebsd-stable@freebsd.org>; Sat,  7 Dec 2013 07:21:57 +0000 (UTC)
Received: from rush.bluerosetech.com (rush.bluerosetech.com
 [IPv6:2607:fc50:1000:9b00::25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9D79F198D
 for <freebsd-stable@freebsd.org>; Sat,  7 Dec 2013 07:21:57 +0000 (UTC)
Received: from chombo.houseloki.net (unknown
 [IPv6:2601:7:1680:365:21c:c0ff:fe7f:96ee])
 by rush.bluerosetech.com (Postfix) with ESMTPSA id 8827011434;
 Fri,  6 Dec 2013 23:21:56 -0800 (PST)
Received: from [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96] (unknown
 [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 420249C9;
 Fri,  6 Dec 2013 23:21:55 -0800 (PST)
Message-ID: <52A2CC82.7000101@bluerosetech.com>
Date: Fri, 06 Dec 2013 23:21:38 -0800
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Michael Sinatra <michael@rancid.berkeley.edu>
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
References: <529D9CC5.8060709@rancid.berkeley.edu>
 <20131204095855.GY29825@droso.dk>
 <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org>
 <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk>
 <20131205193815.05de3829de9e33197fe210ac@getmail.no>
 <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org>
 <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com>
 <20131206223300.89253B55861@rock.dv.isc.org>
 <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com>
 <52A28592.1000200@rancid.berkeley.edu>
In-Reply-To: <52A28592.1000200@rancid.berkeley.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: freebsd-stable <freebsd-stable@freebsd.org>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 07:21:57 -0000

On 12/6/2013 6:18 PM, Michael Sinatra wrote:
> Not every website uses https, but it is VERY useful and important that
> 100% of the browsers out there support https.  That way, the
> client/server interactions that need https can get https.  If I want
> clients to access my site over https, I simply have to put a cert on my
> website and configure it to force the clients to do the right thing.

You are absolutely right--we need DNSSEC validation in everything.  But 
mapping your web browser analogy to DNS, we only need the library 
providing getaddrinfo() to validate responses.  BIND or Unbound on 
everything is equivalent to running a caching web proxy on everything. 
We'd end up with about the same amount of brokenness and stale data 
issues as well.