Re: Jessie release goal: DNSSEC as default recursive resolver
- To: firstname.lastname@example.org
- Subject: Re: Jessie release goal: DNSSEC as default recursive resolver
- From: Wouter Verhelst <email@example.com>
- Date: Tue, 05 Nov 2013 17:50:58 +0100
- Message-id: <[🔎] 527921F2.firstname.lastname@example.org>
- In-reply-to: <[🔎] 527669F1.email@example.com>
- References: <526BE8E3.firstname.lastname@example.org> <email@example.com> <1382809952.16288.38938833.72FFFE53@webmail.messagingengine.com> <firstname.lastname@example.org> <20131028142952.GA8630@angband.pl> <526EACC1.email@example.com> <526EBE2D.firstname.lastname@example.org> <email@example.com> <52711E08.firstname.lastname@example.org> <[🔎] 527669F1.email@example.com>
Op 03-11-13 16:21, Thomas Goirand schreef:
> On 10/30/2013 10:56 PM, Wouter Verhelst wrote:
>> At any rate, my main point was that we should not default to using a
>> system-local recursive resolver which ignores the ISP-provided one, just
>> because that's the "easiest" way to do DNSSEC these days.
> Correct, that's not the *only* reason! :)
> Another one would be that many ISPs are just doing bad things with their
> DNS, like replacing the NXDOMAIN by a catchall that points to
> advertizing (for example, some Chinese ISP do that (or at least used
> to)), banning some websites from their servers (piratebay has had this
> in many countries), and all sorts of other malicious things (another
> example, recently, in France, Free / Illiad made the headlines because
> they started blocking Google ADWords, which IMO, isn't under their
> responsibility as an ISP).
> Not trusting local ISP by default would be a good thing, even without
> talking about DNSSEC.
This does hold some merit, but it is counter to reasonable expectations,
and might also cause us legal issues, if those who require the blocking
of TPB etc take note of what we do.
It *will* also cause problems on networks with local hostnames that
resolve to RFC1918 IP addresses, which (for obvious reasons) cannot be
resolved by a system-local resolver which doesn't know about the default
resolver as available on the network.
> I know it, and I have the knowledge and the will
> to do that, though maybe it's too hard for the less tech-savvy of our
> users. It'd be nice to have an easy solution for these.
> However, I do understand the concern that it may sometimes not work and
> that this should be addressed. If there's no easy solution, I would
> understand that we leave things as they are.
I would prefer that, but would also prefer that there's an easy way to
enable what you're suggesting -- preferably by installing a single package.
>> A cache on an
>> ISP-provided recursive nameserver is likely to be containing a lot of
>> results for "common" DNS queries, which is good for performance.
> I've been using bind on my laptop, querying the root servers directly
> for years, and it hasn't bothered me.
I've been doing so too, but I do notice performance issues from time to
time; and I occasionally switch it off when it would otherwise make me
jump through unnecessary hoops in trying to reach "local" servers when
I'm on a customer network.
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem and you
will not go to space today.