On 2/26/21 12:10 PM, Marius Schwarz wrote: > Am 25.02.21 um 10:51 schrieb Florian Weimer: >> >> Why do you think that? >> >> Caching DNS server availability is a commonly requested feature even in >> data center deployments. The way Fedora currently implements its DNS >> client, it more or less defeats the built-in high availability mechanism >> of DNS, and complex network-based mitigations are needed (like using >> anycast DNS resolvers). > > If you run a server farm with mailservers, you usually have antispam > services like spamhaus enabled. > > If one server from an ip adressrange is using spamhaus, spamhaus is fine > with it. > If a hundret ips from that ip addressrange ask spamhaus, you get blocked > quite fast.
Nobody here requested independent iteration from root servers, right? If a machine is caching itself, it would reduce the load to upstream resolver. If local cache forwards cache misses to central DNS cache configured by network administrators, no blocking should ever happen. systemd-resolved or dnsmasq are incapable of independent resolving, they always need upstream iterative resolver doing work for them. Unbound is capable of doing that, but that was not proposed by nobody. Forwarders usage is always expected by default. It might depend on how to choose them only. Local cache is especially useful on DNS intensive service, which SMTP with various spam filters tends to be. Spamhaus wants prevention of unconfigured unbound or bind caches, which would without additional configuration iterate from root servers. Just add forwarders to shared network cache. > > The cache on the server itself, is of limit use here. Thats why you use > a central dns cache on one server, > so anyone benefits from the caching and spamhaus is happy : win-win. > > On a desktop / laptop you won't have such a scenario in the first place, > here local caching makes more sense. Multi layer caching is supported by DNS. Having local cache on the host does not prevent caching also by a big DNS cache for whole network. On the contrary. It is a bit suppressed by DNS over TLS/HTTPS, but default configuration still should obtain DNS from DHCP/autoconfiguration. On servers, clients, VMs and containers. > > best regards, > Marius Schwarz-- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
