On Sun, Oct 27, 2013 at 12:08 AM, Thomas Goirand wrote: > I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
I've been running this configuration for a while (using unbound on my laptop) and during my recent travels in Europe I discovered networks that are problematic in some way wrt DNSSEC: Some networks block all DNS requests except to the DNS servers returned in DHCP replies. Usually this restriction is removed after clicking through a web interface that relies on JavaScript but not always. One network stripped DNSSEC stuff from DNS replies. I solved these by disabling my laptop DNSSEC-enabled resolver, clicking through whatever web crap got in the way, re-enabling the DNSSEC-enabled resolver and or connecting to a VPN. Sometimes the VPN was blocked on the default port and I had to use the https port. I think whatever solution we use is going to have to be more complicated than just "enable DNSSEC by default", especially for end-user systems. I expect that NetworkManager/wicd/etc need to grow a system that probes the local network and adapts accordingly. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caktje6e0e9pijgamazk6avuykwyo8oltkag02cwhpc5zw+g...@mail.gmail.com
