[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie release goal: DNSSEC as default recursive resolver

Op 29-10-13 17:35, Ian Jackson schreef:
> Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive resolver"):
>> There is nothing in DNSSEC which makes it inherently incompatible with
>> using DNS forwarders. Talking to the root DNS servers is fun and all,
>> but there's really no good reason why you shouldn't use the large DNS
>> cache on your ISP's recursive DNS server.
> 
> I'm afraid this is not true.  The way DNSSEC is designed means that
> you can't "tunnel" the DNSSEC data through a forwarding nameserver
> which doesn't itself understand DNSSEC at least to a minimal extent.
> 
> If your local forwarder doesn't do this, which is quite likely, you
> have to fall back to the global infrastructure - and hope it's not
> blocked or intercepted.
> 
>> Now, if your local DNS server ignores requests for RRSIG records, or
>> sabotages DNSSEC in other ways, it might make sense to try to bypass
>> them, possibly by running a local caching DNS server. But that should
>> not be the first thing to do.
> 
> IIRC one of the ways that DNSSEC breaks naive forwarders is that its
> rules for what constitutes an RRset are different to normal.  It's a
> while since I looked at this but I could go and look at the RFCs
> again...

Okay. I'll grant that I never quite read the entirety of the RFCs, and
that there might be some parts of it that I did not understand correctly
or incompletely.

At any rate, my main point was that we should not default to using a
system-local recursive resolver which ignores the ISP-provided one, just
because that's the "easiest" way to do DNSSEC these days. A cache on an
ISP-provided recursive nameserver is likely to be containing a lot of
results for "common" DNS queries, which is good for performance.

It might be a good idea to _fall back_ to that solution if the
alternatives result in not having DNSSEC enabled; but it should not be
the default.

-- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/
Reply to: