Re: Jessie release goal: DNSSEC as default recursive resolver
On Sun, Oct 27, 2013 at 12:08 AM, Thomas Goirand wrote:
> I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
I've been running this configuration for a while (using unbound on my
laptop) and during my recent travels in Europe I discovered networks
that are problematic in some way wrt DNSSEC:
Some networks block all DNS requests except to the DNS servers
returned in DHCP replies. Usually this restriction is removed after
clicking through a web interface that relies on JavaScript but not
always.
One network stripped DNSSEC stuff from DNS replies.
I solved these by disabling my laptop DNSSEC-enabled resolver,
clicking through whatever web crap got in the way, re-enabling the
DNSSEC-enabled resolver and or connecting to a VPN. Sometimes the VPN
was blocked on the default port and I had to use the https port.
I think whatever solution we use is going to have to be more
complicated than just "enable DNSSEC by default", especially for
end-user systems. I expect that NetworkManager/wicd/etc need to grow a
system that probes the local network and adapts accordingly.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: