Re: Jessie release goal: DNSSEC as default recursive resolver
Op 28-10-13 19:28, Thomas Goirand schreef:
> So, as per the replies we've read, it seems that the only way to
> implement DNSSEC would be to first check if it works, and if it doesn't,
> fallback to the locally provided recursive DNS server.
This feels upside down to me.
There is nothing in DNSSEC which makes it inherently incompatible with
using DNS forwarders. Talking to the root DNS servers is fun and all,
but there's really no good reason why you shouldn't use the large DNS
cache on your ISP's recursive DNS server.
There's also no reason why you _need_ a local DNS server to be able to
do DNSSEC resolving; you can theoretically use a stub resolver (though
I'm not sure if there's a stub resolver in Debian which supports doing so).
Now, if your local DNS server ignores requests for RRSIG records, or
sabotages DNSSEC in other ways, it might make sense to try to bypass
them, possibly by running a local caching DNS server. But that should
not be the first thing to do.
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem and you
will not go to space today.