On Sat, Apr 12, 2014 at 04:03:14PM +0200, Reindl Harald wrote: > > > Am 12.04.2014 15:31, schrieb Chuck Anderson: > > On Sat, Apr 12, 2014 at 02:09:19PM +0800, P J P wrote: > >>> On Saturday, 12 April 2014 11:11 AM, William Brown wrote: > >>> Say I have freshly installed my fedora system at home. I then boot it up > >>> and start to use it. My laptop is caching DNS results all the while from > >>> the "unreliable" ISP. > >>> > >>> I then go to work and suddenly things don't work. > >>> > >>> Having a DNS cache doesn't fix your unreliable ISP: You need to lodge a > >>> complaint with your ISP. > >> > >> What, no! that was the case for having local cache and not forwarding queries to the ISP's name servers at all. Because those are not reliable. > > > > I disagree. You can still do DNSSEC validation with a local caching > > resolver and configure that local resolver to forward all queries to > > the ISP. That should be tried first, and only bypassed and become a > > full interative recursive querier bypassing the ISP resolvers if that > > fails. We need to respect the DNS caching infrastructure by default. > > nonsense - there are so much ISP nameservers broken out there > responding with wildcards and so on that you can not trust them > and you will realize that if not before after you started to run > a production mailserver which relies on NXDOMAIN responses for > proper operations I don't disagree that there is lots of broken DNS out there. But realistically, we still need to default to using the DHCP-provided DNS servers as forwarders because there are unfortunately lots of circumstances where this is required to resolve corporate DNS names or to allow captive portals to work. If the local caching resolver is intelligent enough, it can handle the common use cases (corporate DNS resolution, VPN into corporate, captive portals) and work around the common failure modes (automatic cache flushing, switching to iterative mode to bypass upstream nameservers when necessary, using both the upstream nameservers AND iterative queries and combining the results) for us. What we cannot do is have the default be to bypass the upstream DNS resolvers without some way to handle the above cases. If mainstream operating systems started doing that by default, then corporate networks, ISPs, captive portals etc. will probably start blocking DNS to outside servers or redirecting port 53 to their own servers. In fact some already do this. We don't want to escalate the arms race by encouraging this behavior. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
