Jessie release goal: DNSSEC as default recursive resolver
Hi,
I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
at least in the "default" configuration (whatever that means). By this,
I mean that any non-experienced user would just install (or upgrade to)
Jessie, start a web browser (Chormium, Iceweasel, etc.: take your
pick...), and have DNSSEC resolving just working. Of course, we'd have
this also for non-browser applications as a consequence if it's
implemented (I'm thinking about stuff like curl, wget), though to me,
the browser part is the most important.
If this means installing a recursive DNS resolver by default (unbound
pops to my mind, since it has the feature by default), I'd say be it,
though probably that is more of an open question, and an implementation
details. I personally wouldn't mind at all if the Debian default
configuration would by-pass whatever ISP are providing, since we've seen
this broken in multiple cases (so many that I don't think it's even
necessary to use an example to illustrate that fact here...).
If I'm not mistaking (please correct me), Fedora has the feature, and
it's been a long time they do. FreeBSD as well (they have unbound in the
default installer). OpenBSD also removed bind and switched to unbound
(or at least is planning on doing it, I'm not sure). Debian shouldn't be
left behind.
Probably this is too narrow for a release goal, or it is too late to
raise this topic, though I would find it very nice if we had the
feature, which is why I'm raising this topic. Thoughts welcome.
Thomas Goirand (zigo)
P.S: I wont have time to get involve in this, though I don't think that
there is so much work involved, is it?
Reply to: