Re: Jessie release goal: DNSSEC as default recursive resolver

[Russ Allbery <rra@debian.org>]

Thomas Goirand <zigo@debian.org> writes:

> If this means installing a recursive DNS resolver by default (unbound
> pops to my mind, since it has the feature by default), I'd say be it,
> though probably that is more of an open question, and an implementation
> details. I personally wouldn't mind at all if the Debian default
> configuration would by-pass whatever ISP are providing, since we've seen
> this broken in multiple cases (so many that I don't think it's even
> necessary to use an example to illustrate that fact here...).

One has to be careful about this, since quite a few installations are on
unroutable IP addresses that can't do direct DNS queries to the DNS roots.
Even if a system is installed via the network installer, that may be with
the goal of eventually moving it into a private network.  If your primary
DNS resolver doesn't reply due to inability to reach the root DNS servers,
it tends to cause all sorts of weird slowness and issues that are hard for
the average user to understand or track down, even if you have other DNS
servers listed as secondary resolvers.

The safe default is still to rely on the organizational DNS resolvers as
provided by DHCP or local manual configuration.

I'm definitely in favor of improved DNSSEC support, but I think it's going
to need to be something that people can optionally install if we're trying
to provide it by bypassing local DNS infrastructure.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>