[Openswan dev] DNSSEC (was Re: [ldns-users] function call backs in ldns_resolver_send*?)

Paul Wouters paul at xelerance.com
Wed Dec 15 16:00:57 EST 2010


On Wed, 15 Dec 2010, Miek Gieben wrote:

> No, I mean: do an insecure lookup

Eww. I hope we can move away from that completely :P

>> In short, should openswan link a secure resolver library and cache, or trust the AD bit
>> on localhost? (or other last mile solution IETF comes up with)
>
> use the local resolver
> dont trust the local resolver
> do the validation yourself

If you do validation yourself, I guess you also have to cache yourself?
So then I guess stubunbound should be used? or just libunbound and take
the hit from talking repeatedly to the local resolver cache?

Would implementing either be very different? Can we do libunbound first and
stubunbound later? Wouter? :)

Paul


More information about the Dev mailing list