Date: Fri, 06 Dec 2013 23:21:38 -0800 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: Michael Sinatra <michael@rancid.berkeley.edu> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <52A2CC82.7000101@bluerosetech.com> In-Reply-To: <52A28592.1000200@rancid.berkeley.edu> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/6/2013 6:18 PM, Michael Sinatra wrote: > Not every website uses https, but it is VERY useful and important that > 100% of the browsers out there support https. That way, the > client/server interactions that need https can get https. If I want > clients to access my site over https, I simply have to put a cert on my > website and configure it to force the clients to do the right thing. You are absolutely right--we need DNSSEC validation in everything. But mapping your web browser analogy to DNS, we only need the library providing getaddrinfo() to validate responses. BIND or Unbound on everything is equivalent to running a caching web proxy on everything. We'd end up with about the same amount of brokenness and stale data issues as well.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52A2CC82.7000101>