pe> DNS is a complicated, esoteric knowledge set. The reason apps, pe> middleware and various other boxes mucking with DNS in transit tend pe> to suck is exactly because the programmers on those boxes don't have pe> this expertise and make all sorts of bad assumptions about what is pe> safe/sane.
pe> Resolver coders are vastly more likely to have knowledge of what pe> might break, what is unsafe, etc. And if they miss a check, the odds pe> of said resolver coders finding this out quickly, and fixing it and pe> getting it deployed, are much better than expecting apps or pe> middleware box developers to do so. dukhovni> The middleboxes will get it wrong, and will have stale dukhovni> firmware for decades. Do not place your trust in middleboxes. Read what I wrote above. I pointed out middleware boxes as places with mistake, not as where to try to fix it. dukhovni> The sanest viable place to do *some* common validation is in dukhovni> stub resolvers that support type-specific lookup functions dukhovni> above the basic (qname, qtype) interface, also perhaps in the dukhovni> system nsswitch and getaddrinfo()). The sanest but far less likely to be implemented in apps or apps libraries. Resolvers doing validation are far more likely to have current code and DNS aware developers. It would be lovely if that were in devices but is far more likely in the recursive resolvers they talk to. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
