Op 29-10-13 17:35, Ian Jackson schreef:
> Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive
> resolver"):
>> There is nothing in DNSSEC which makes it inherently incompatible with
>> using DNS forwarders. Talking to the root DNS servers is fun and all,
>> but there's really no good reason why you shouldn't use the large DNS
>> cache on your ISP's recursive DNS server.
>
> I'm afraid this is not true. The way DNSSEC is designed means that
> you can't "tunnel" the DNSSEC data through a forwarding nameserver
> which doesn't itself understand DNSSEC at least to a minimal extent.
>
> If your local forwarder doesn't do this, which is quite likely, you
> have to fall back to the global infrastructure - and hope it's not
> blocked or intercepted.
>
>> Now, if your local DNS server ignores requests for RRSIG records, or
>> sabotages DNSSEC in other ways, it might make sense to try to bypass
>> them, possibly by running a local caching DNS server. But that should
>> not be the first thing to do.
>
> IIRC one of the ways that DNSSEC breaks naive forwarders is that its
> rules for what constitutes an RRset are different to normal. It's a
> while since I looked at this but I could go and look at the RFCs
> again...
Okay. I'll grant that I never quite read the entirety of the RFCs, and
that there might be some parts of it that I did not understand correctly
or incompletely.
At any rate, my main point was that we should not default to using a
system-local recursive resolver which ignores the ISP-provided one, just
because that's the "easiest" way to do DNSSEC these days. A cache on an
ISP-provided recursive nameserver is likely to be containing a lot of
results for "common" DNS queries, which is good for performance.
It might be a good idea to _fall back_ to that solution if the
alternatives result in not having DNSSEC enabled; but it should not be
the default.
--
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem and you
will not go to space today.
-- http://xkcd.com/1133/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52711e08.9030...@debian.org
