Re: Jessie release goal: DNSSEC as default recursive resolver
- To: firstname.lastname@example.org
- Subject: Re: Jessie release goal: DNSSEC as default recursive resolver
- From: Thomas Goirand <email@example.com>
- Date: Sun, 03 Nov 2013 23:21:21 +0800
- Message-id: <[🔎] 527669F1.firstname.lastname@example.org>
- In-reply-to: <52711E08.email@example.com>
- References: <526BE8E3.firstname.lastname@example.org> <email@example.com> <1382809952.16288.38938833.72FFFE53@webmail.messagingengine.com> <firstname.lastname@example.org> <20131028142952.GA8630@angband.pl> <526EACC1.email@example.com> <526EBE2D.firstname.lastname@example.org> <email@example.com> <52711E08.firstname.lastname@example.org>
On 10/30/2013 10:56 PM, Wouter Verhelst wrote:
> At any rate, my main point was that we should not default to using a
> system-local recursive resolver which ignores the ISP-provided one, just
> because that's the "easiest" way to do DNSSEC these days.
Correct, that's not the *only* reason! :)
Another one would be that many ISPs are just doing bad things with their
DNS, like replacing the NXDOMAIN by a catchall that points to
advertizing (for example, some Chinese ISP do that (or at least used
to)), banning some websites from their servers (piratebay has had this
in many countries), and all sorts of other malicious things (another
example, recently, in France, Free / Illiad made the headlines because
they started blocking Google ADWords, which IMO, isn't under their
responsibility as an ISP).
Not trusting local ISP by default would be a good thing, even without
talking about DNSSEC. I know it, and I have the knowledge and the will
to do that, though maybe it's too hard for the less tech-savvy of our
users. It'd be nice to have an easy solution for these.
However, I do understand the concern that it may sometimes not work and
that this should be addressed. If there's no easy solution, I would
understand that we leave things as they are.
> A cache on an
> ISP-provided recursive nameserver is likely to be containing a lot of
> results for "common" DNS queries, which is good for performance.
I've been using bind on my laptop, querying the root servers directly
for years, and it hasn't bothered me.
> It might be a good idea to _fall back_ to that solution if the
> alternatives result in not having DNSSEC enabled; but it should not be
> the default.
I'm tempted to think the other way around! :)
Though anyway, whatever... if we can have DNSSEC by default, one way or
another, that's a good thing. Let's drop the "local resolver" debate, if
that helps move forward.