top | item 39377164

(no title)

xz53 | 2 years ago

> If you're not recursing, you're not really validating DNSSEC records.

Nope, validating in stubs is a thing. systemd's resolved does it. Apple's high-level network frameworks do it if you ask as of a couple of years ago (they've been back and forth on DNSSEC in their lower level API for longer than that). I'm not sure how well they work but they're there.

discuss

tptacek|2 years ago

A validating stub resolver is effectively a recursive resolver proxying through another recursor. At the point where you're going to do that, you might as well just run a recursive server. Either way: you don't have the NXDOMAIN problem. I really don't think there's a way to get around this. It's not dispositive of DNSSEC (other things are!), it's just not a real use case?

xz53|2 years ago

> A validating stub resolver is effectively a recursive resolver proxying through another recursor. At the point where you're going to do that, you might as well just run a recursive server.

Every iPhone on the planet might as well be a recursive resolver? Yeah, nah.

bingo-bongo|2 years ago

Bare in mind systemd’s resolved has dnssec validation disabled by default and it’s (afaik) still marked as experimental.