Am 24.08.2015 um 20:19 schrieb n...@eml.cc:
On Mon, Aug 24, 2015, at 11:10 AM, Darcy Kevin (FCA) wrote:Forwarders are selected based on an RTT(round-trip-time)-based algorithm ....There's an invalid presumption there -- that 'fastest' == 'most desired / highest priority'. Regardless of any specific case, the requested feature allows the user to say, simply, what goes where an when -- rather than having to deal with auto-assumptions.Have you considered the option of not forwarding *at*all*?No. And ...talking directly to the authoritative nameservers should allay the privacy concerns associated with talking through a third party....Not entirely accurate IIUC. The goal is to NOT allow any DNS traffic to traverse over my ISP connection in unencrypted form -- unless it's the absolutely lowest priority (as I defined it) fallback case. For example in my current case, class (1) traffic is over my VPN 'past' my ISP to my hosted resolver, then out directly to the authoritative NSs class (2) traffic is forwarded to/through a dnscrypt-proxy on my bind-instance machine out to dnscrypt'd servers class (3) traffic is the fallback case.
and you gain what?one of your forwarding resolvers needs to do recursion an dguess what it's unencrypted - and even if you prefer 1) for whatever reasons (instead change to a ISP you trust) why not just make that VPN connection relieable and fault tolerant instead abuse named?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
