DNSSEC?
Closed this issue · 6 comments
What's the possibility of add DNSSEC to this library? Should be be added here or should it be a separate library?
I would strongly support DNSSEC but I have no time to implement it. PR is highly welcome.
I'll see what I can do. I suspect its a lot of work :).
For most applications it is unwise to implement DNSSEC directly in a stub resolver. It makes much more sense to delegate the validation to a real DNSSEC-validating resolver on the loopback interface.
The problem with DNSSEC in stub resolvers is that it is very unlikely that such code will stay current with evolving algorithms, and, more importantly, also unlikely that RFC-5011 root key rollover will happen, since the application is ephemeral, and cannot monitor the root key RRset on a regular basis.
So I would not recommend DNSSEC in stub resolvers unless the system provides an RFC5011 tracked/valided root DNSKEY RRset, in which case you may just as well ask the system's resolver instead. That's why we have "AD-bit" support, and I see little point in adding a full DNSSEC implementation at this time.
DNSSEC in Network.DNS would only be useful if someone wanted to actually implement a local resolver alternative to BIND,unbound, etc. in Haskell, rather than just use Network.DNS as a stub resolver (which is all it does now).
Thanks @vdukhovni . That's useful information.
I think this issue should be closed for now.
Closing as resolved.