Jonathan Stewart wrote: > Robert Edmonds <edmo...@mycre.ws> wrote: > > > Chuck Anderson wrote: > > > 2. Use a local DNS daemon on every server with forwarders configured > > > to the network's nameservers, and fix resolv.conf to 127.0.0.1. > > > > I'll shamelessly admit that I do this on all my Debian systems, where > > "apt-get install unbound resolvconf" results in exactly that > > configuration. > > > Does this result in a DNSSEC-validating resolver, as well?
Yes, it does. We ship a default config for Unbound that uses the "auto-trust-anchor-file" mode for the root trust anchor. You have to specifically remove that from the config in order to disable DNSSEC validation. > If so, then Chuck's problem is actually a solved one, and his request (as > mine would be) is that the Linux distributions make this default, so long > as the setting of one or more recursive resolvers was easy. Er, not really. This config is just plain old DNSSEC validation, so you (rightly) get no DNS resolution at all on networks where it is not possible to perform DNSSEC validation (e.g., random wifi hotspots). We could not realistically enable this by default for all Debian installations, not without additional components (e.g., dnssec-trigger) to fix the hotspot problem. > Of course, in an environment where DNS queries have not been restricted, > this setup should run standalone, resolving DNS queries from the root. No, by default resolvconf configures Unbound to forward lookups to the DNS servers that the system has been configured to use. (Either statically assigned or learned via DHCP.) If the sysadmin configures the system to not use any upstream DNS servers then forwarding mode is turned off and Unbound does full recursion. -- Robert Edmonds _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
