Re: Jessie release goal: DNSSEC as default recursive resolver
On Tue, Oct 29, 2013, at 17:35, Ian Jackson wrote:
> Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default
> recursive resolver"):
> > There is nothing in DNSSEC which makes it inherently incompatible with
> > using DNS forwarders. Talking to the root DNS servers is fun and all,
> > but there's really no good reason why you shouldn't use the large DNS
> > cache on your ISP's recursive DNS server.
>
> I'm afraid this is not true. The way DNSSEC is designed means that
> you can't "tunnel" the DNSSEC data through a forwarding nameserver
> which doesn't itself understand DNSSEC at least to a minimal extent.
>
> If your local forwarder doesn't do this, which is quite likely, you
> have to fall back to the global infrastructure - and hope it's not
> blocked or intercepted.
There are even ways how to tunnel DNS through TLS on top of TCP/443.
(Ugly but effective as last resort.)
> > Now, if your local DNS server ignores requests for RRSIG records, or
> > sabotages DNSSEC in other ways, it might make sense to try to bypass
> > them, possibly by running a local caching DNS server. But that should
> > not be the first thing to do.
>
> IIRC one of the ways that DNSSEC breaks naive forwarders is that its
> rules for what constitutes an RRset are different to normal. It's a
> while since I looked at this but I could go and look at the RFCs
> again...
That's true.
O.
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Reply to: