[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie release goal: DNSSEC as default recursive resolver

> On Sat, Oct 26, 2013, at 18:58, Kevin Chadwick wrote:
> > I believe the reliability (DOS) issues that DNSSEC imposes coupled with
> Please, not this again. If you say DNSSEC DOS issue, you must state all
> the other issues that DNS has.

Not really, the security issues are already catered for and not such a
problem. DNSSEC would be great if it was all good but it isn't. Having
people being far more easily prevented from even accessing the internet
is a far more serious issue which needs to be considered for a default
stance of enforced if the AD bit is set.

> > the low level of adoption
> It's certainly more adopted than IPv6 and we do support IPv6.

Of course I am not saying don't support it, it already is by certain
packages but enabled by default without fallback many would disagree and
with fallback, what do you gain. An easy switch on and off in
resolv.conf for example is another matter entirely that would be cool.

> > would make it very unlikely that DNSSEC would
> > be enabled for certainly default resolving on OpenBSD without DNSCURVE
> > protection or some significant DNSSEC re-development.
> How is the DNSSEC adoption by OpenBSD relevant to Debian decisions?

I never said it was, just responding to the OPs post, please re-read
that. The point is OpenBSD having unbound in base is akin to debian
having unbound in the repo, the only difference being that the code was
audited and configured with a chroot by default etc. first and you
don;t need to download it to use it. NSD upstream for example received
some useful patches and other help upstream as a direct result of it's
incorporation into base.


'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

Reply to: