[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie release goal: DNSSEC as default recursive resolver

On Sun, Oct 27, 2013 at 12:08 AM, Thomas Goirand wrote:

> I'd find it very nice if we had, by default, DNSSEC resolving in Debian,

I've been running this configuration for a while (using unbound on my
laptop) and during my recent travels in Europe I discovered networks
that are problematic in some way wrt DNSSEC:

Some networks block all DNS requests except to the DNS servers
returned in DHCP replies. Usually this restriction is removed after
clicking through a web interface that relies on JavaScript but not

One network stripped DNSSEC stuff from DNS replies.

I solved these by disabling my laptop DNSSEC-enabled resolver,
clicking through whatever web crap got in the way, re-enabling the
DNSSEC-enabled resolver and or connecting to a VPN. Sometimes the VPN
was blocked on the default port and I had to use the https port.

I think whatever solution we use is going to have to be more
complicated than just "enable DNSSEC by default", especially for
end-user systems. I expect that NetworkManager/wicd/etc need to grow a
system that probes the local network and adapts accordingly.



Reply to: