Date: Sun, 08 Dec 2013 07:58:53 +1100 From: Mark Andrews <marka@isc.org> To: freebsd-stable <freebsd-stable@freebsd.org> Cc: Michael Sinatra <michael@rancid.berkeley.edu> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20131207205853.52B5FB5940A@rock.dv.isc.org> In-Reply-To: Your message of "Fri, 06 Dec 2013 23:21:38 -0800." <52A2CC82.7000101@bluerosetech.com> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <52A2CC82.7000101@bluerosetech.com>, Darren Pilgrim writes: > On 12/6/2013 6:18 PM, Michael Sinatra wrote: > > Not every website uses https, but it is VERY useful and important that > > 100% of the browsers out there support https. That way, the > > client/server interactions that need https can get https. If I want > > clients to access my site over https, I simply have to put a cert on my > > website and configure it to force the clients to do the right thing. > > You are absolutely right--we need DNSSEC validation in everything. But > mapping your web browser analogy to DNS, we only need the library > providing getaddrinfo() to validate responses. BIND or Unbound on > everything is equivalent to running a caching web proxy on everything. > We'd end up with about the same amount of brokenness and stale data > issues as well. Which assumes that a remote common validating cache + local validating stub resolver will perform better that a local common validating cache and a mix if local validating applications and non validation applications. The jury is still out on which will give the best performance. I do know what will have the smaller packet count on the machine. The local common validating cache. Note you can't avoid having the cache validate. DNSSEC will not work though a cache when it is under a attack if the cache does not validate. Additionally the cache should have a super set of all trust anchors used by the clients. Also with a local cache you have a common understanding of the current time which simplifies things even if you still need to code for the cache having a different time reference. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131207205853.52B5FB5940A>