[RPZ] Answering my own RPZ question

David Ulevitch david at opendns.com
Tue Jan 10 19:31:40 UTC 2012

On Jan 10, 2012, at 11:23 AM, Vernon Schryver wrote:

> Note that something that validates is either more than a stub or a bit
> of latency pig.  It needs caches, root address and key hints, and so
> forth and so on to avoid adding bunches of requests for parent key
> records to every request for www.example.com.  Given the attention
> Microsoft, Google, and Mozilla pay to reducing browser latency due to
> DNS traffic, I doubt they'll be enthused about stubs that multiply
> round trips to ISP resolvers.

Indeed. I think the likely outcome will be that everyone runs a full-blown recursor -- though for many use-cases it will be in a forwarder-only mode (while still providing DNSSEC validation, DNSCrypt, etc.).


More information about the DNSfirewalls mailing list