Re: Jessie release goal: DNSSEC as default recursive resolver

To: debian-devel@lists.debian.org
Subject: Re: Jessie release goal: DNSSEC as default recursive resolver
From: Ondřej Surý <ondrej@sury.org>
Date: Sat, 26 Oct 2013 19:52:32 +0200
Message-id: <[🔎] 1382809952.16288.38938833.72FFFE53@webmail.messagingengine.com>
In-reply-to: <[🔎] 87fvro0zs0.fsf@windlord.stanford.edu>
References: <[🔎] 526BE8E3.9000109@debian.org> <[🔎] 87fvro0zs0.fsf@windlord.stanford.edu>

Hi Russ,

On Sat, Oct 26, 2013, at 18:20, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:
> 
> > If this means installing a recursive DNS resolver by default (unbound
> > pops to my mind, since it has the feature by default), I'd say be it,
> > though probably that is more of an open question, and an implementation
> > details. I personally wouldn't mind at all if the Debian default
> > configuration would by-pass whatever ISP are providing, since we've seen
> > this broken in multiple cases (so many that I don't think it's even
> > necessary to use an example to illustrate that fact here...).
> 
> One has to be careful about this, since quite a few installations are on
> unroutable IP addresses that can't do direct DNS queries to the DNS
> roots.
> Even if a system is installed via the network installer, that may be with
> the goal of eventually moving it into a private network.  If your primary
> DNS resolver doesn't reply due to inability to reach the root DNS
> servers,
> it tends to cause all sorts of weird slowness and issues that are hard
> for
> the average user to understand or track down, even if you have other DNS
> servers listed as secondary resolvers.
> 
> The safe default is still to rely on the organizational DNS resolvers as
> provided by DHCP or local manual configuration.

we can adopt dnssec-trigger
(https://www.nlnetlabs.nl/projects/dnssec-trigger/) for such scenarios.

> I'm definitely in favor of improved DNSSEC support, but I think it's
> going to need to be something that people can optionally install if we're
> trying to provide it by bypassing local DNS infrastructure.

I still think that the Debian should be a technology leader.
Conservative, but technology leader. And DNSSEC adoption would help the
case.

Also the DSA has already enabled DANE (DNSSEC validated TLS certs) on
Debian's MTAs, the postfix 2.11 will have DANE support.

I think this goal is very reasonable and I thank Thomas for proposing
it.

O.
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply to:

Follow-Ups:
- Re: Jessie release goal: DNSSEC as default recursive resolver
  - From: Thomas Goirand <zigo@debian.org>
- Re: Jessie release goal: DNSSEC as default recursive resolver
  - From: "Thijs Kinkhorst" <thijs@debian.org>

References:
- Jessie release goal: DNSSEC as default recursive resolver
  - From: Thomas Goirand <zigo@debian.org>
- Re: Jessie release goal: DNSSEC as default recursive resolver
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Jessie release goal: DNSSEC as default recursive resolver
Next by Date: Re: Bug#727708: tech-ctte: Decide which init system to default to in Debian.
Previous by thread: Re: Jessie release goal: DNSSEC as default recursive resolver
Next by thread: Re: Jessie release goal: DNSSEC as default recursive resolver
Index(es):
- Date
- Thread