From owner-freebsd-stable@FreeBSD.ORG Sat Dec 7 20:59:11 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 751CFF0F for ; Sat, 7 Dec 2013 20:59:11 +0000 (UTC) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2CA5F18EE for ; Sat, 7 Dec 2013 20:59:11 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 94F0C23839C; Sat, 7 Dec 2013 20:58:56 +0000 (UTC) (envelope-from marka@isc.org) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 46D13160446; Sat, 7 Dec 2013 21:07:00 +0000 (UTC) Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 14C71160436; Sat, 7 Dec 2013 21:07:00 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 52B5FB5940A; Sun, 8 Dec 2013 07:58:53 +1100 (EST) To: freebsd-stable From: Mark Andrews References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com> Subject: Re: BIND chroot environment in 10-RELEASE...gone? In-reply-to: Your message of "Fri, 06 Dec 2013 23:21:38 -0800." <52A2CC82.7000101@bluerosetech.com> Date: Sun, 08 Dec 2013 07:58:53 +1100 Message-Id: <20131207205853.52B5FB5940A@rock.dv.isc.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx.ams1.isc.org Cc: Michael Sinatra X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Dec 2013 20:59:11 -0000 In message <52A2CC82.7000101@bluerosetech.com>, Darren Pilgrim writes: > On 12/6/2013 6:18 PM, Michael Sinatra wrote: > > Not every website uses https, but it is VERY useful and important that > > 100% of the browsers out there support https. That way, the > > client/server interactions that need https can get https. If I want > > clients to access my site over https, I simply have to put a cert on my > > website and configure it to force the clients to do the right thing. > > You are absolutely right--we need DNSSEC validation in everything. But > mapping your web browser analogy to DNS, we only need the library > providing getaddrinfo() to validate responses. BIND or Unbound on > everything is equivalent to running a caching web proxy on everything. > We'd end up with about the same amount of brokenness and stale data > issues as well. Which assumes that a remote common validating cache + local validating stub resolver will perform better that a local common validating cache and a mix if local validating applications and non validation applications. The jury is still out on which will give the best performance. I do know what will have the smaller packet count on the machine. The local common validating cache. Note you can't avoid having the cache validate. DNSSEC will not work though a cache when it is under a attack if the cache does not validate. Additionally the cache should have a super set of all trust anchors used by the clients. Also with a local cache you have a common understanding of the current time which simplifies things even if you still need to code for the cache having a different time reference. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org