Re: Jessie release goal: DNSSEC as default recursive resolver

To: debian-devel@lists.debian.org
Subject: Re: Jessie release goal: DNSSEC as default recursive resolver
From: Paul Wise <pabs@debian.org>
Date: Wed, 6 Nov 2013 09:45:16 +0800
Message-id: <[🔎] CAKTje6E0e9pijGAMazk6AvuYkwyO8oLtKAG02CWhpC5zw+gk0A@mail.gmail.com>
In-reply-to: <526BE8E3.9000109@debian.org>
References: <526BE8E3.9000109@debian.org>

On Sun, Oct 27, 2013 at 12:08 AM, Thomas Goirand wrote:

> I'd find it very nice if we had, by default, DNSSEC resolving in Debian,

I've been running this configuration for a while (using unbound on my
laptop) and during my recent travels in Europe I discovered networks
that are problematic in some way wrt DNSSEC:

Some networks block all DNS requests except to the DNS servers
returned in DHCP replies. Usually this restriction is removed after
clicking through a web interface that relies on JavaScript but not
always.

One network stripped DNSSEC stuff from DNS replies.

I solved these by disabling my laptop DNSSEC-enabled resolver,
clicking through whatever web crap got in the way, re-enabling the
DNSSEC-enabled resolver and or connecting to a VPN. Sometimes the VPN
was blocked on the default port and I had to use the https port.

I think whatever solution we use is going to have to be more
complicated than just "enable DNSSEC by default", especially for
end-user systems. I expect that NetworkManager/wicd/etc need to grow a
system that probes the local network and adapts accordingly.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Prev by Date: Re: Bug#727708: tech-ctte: Decide which init system to default to in Debian.
Next by Date: Re: Bug#728809: ITP: ndt -- A network diagnostic tool.
Previous by thread: Re: Jessie release goal: DNSSEC as default recursive resolver
Next by thread: Potential issues for most ports (Was: Re: Bits from the Release Team (Jessie freeze info))
Index(es):
- Date
- Thread