[RPZ] Answering my own RPZ question
david at opendns.com
Tue Jan 10 19:31:40 UTC 2012
On Jan 10, 2012, at 11:23 AM, Vernon Schryver wrote:
> Note that something that validates is either more than a stub or a bit
> of latency pig. It needs caches, root address and key hints, and so
> forth and so on to avoid adding bunches of requests for parent key
> records to every request for www.example.com. Given the attention
> Microsoft, Google, and Mozilla pay to reducing browser latency due to
> DNS traffic, I doubt they'll be enthused about stubs that multiply
> round trips to ISP resolvers.
Indeed. I think the likely outcome will be that everyone runs a full-blown recursor -- though for many use-cases it will be in a forwarder-only mode (while still providing DNSSEC validation, DNSCrypt, etc.).
More information about the DNSfirewalls