[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie release goal: DNSSEC as default recursive resolver

Hi Russ,

On Sat, Oct 26, 2013, at 18:20, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:
> > If this means installing a recursive DNS resolver by default (unbound
> > pops to my mind, since it has the feature by default), I'd say be it,
> > though probably that is more of an open question, and an implementation
> > details. I personally wouldn't mind at all if the Debian default
> > configuration would by-pass whatever ISP are providing, since we've seen
> > this broken in multiple cases (so many that I don't think it's even
> > necessary to use an example to illustrate that fact here...).
> One has to be careful about this, since quite a few installations are on
> unroutable IP addresses that can't do direct DNS queries to the DNS
> roots.
> Even if a system is installed via the network installer, that may be with
> the goal of eventually moving it into a private network.  If your primary
> DNS resolver doesn't reply due to inability to reach the root DNS
> servers,
> it tends to cause all sorts of weird slowness and issues that are hard
> for
> the average user to understand or track down, even if you have other DNS
> servers listed as secondary resolvers.
> The safe default is still to rely on the organizational DNS resolvers as
> provided by DHCP or local manual configuration.

we can adopt dnssec-trigger
(https://www.nlnetlabs.nl/projects/dnssec-trigger/) for such scenarios.

> I'm definitely in favor of improved DNSSEC support, but I think it's
> going to need to be something that people can optionally install if we're
> trying to provide it by bypassing local DNS infrastructure.

I still think that the Debian should be a technology leader.
Conservative, but technology leader. And DNSSEC adoption would help the

Also the DSA has already enabled DANE (DNSSEC validated TLS certs) on
Debian's MTAs, the postfix 2.11 will have DANE support.

I think this goal is very reasonable and I thank Thomas for proposing

Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply to: