Thomas Goirand <z...@debian.org> writes: > If this means installing a recursive DNS resolver by default (unbound > pops to my mind, since it has the feature by default), I'd say be it, > though probably that is more of an open question, and an implementation > details. I personally wouldn't mind at all if the Debian default > configuration would by-pass whatever ISP are providing, since we've seen > this broken in multiple cases (so many that I don't think it's even > necessary to use an example to illustrate that fact here...).
One has to be careful about this, since quite a few installations are on unroutable IP addresses that can't do direct DNS queries to the DNS roots. Even if a system is installed via the network installer, that may be with the goal of eventually moving it into a private network. If your primary DNS resolver doesn't reply due to inability to reach the root DNS servers, it tends to cause all sorts of weird slowness and issues that are hard for the average user to understand or track down, even if you have other DNS servers listed as secondary resolvers. The safe default is still to rely on the organizational DNS resolvers as provided by DHCP or local manual configuration. I'm definitely in favor of improved DNSSEC support, but I think it's going to need to be something that people can optionally install if we're trying to provide it by bypassing local DNS infrastructure. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fvro0zs0....@windlord.stanford.edu
