On Sun, 2014-04-13 at 06:35 +0200, Reindl Harald wrote: > and if you believe that in a not trustable network you don't > know if you get the signing informations at all - fine, but > you hardly an enforce that with a local software That is the WHOLE point of DNSSEC, really. > if i control the network i control the whle traffic and without > your own satellite link you can't change that It is not necessary, integrity protection allows me to find out if my traffic is getting through or not. If not, though luck. > >> Case 4, 5, 6 and 7: DNS cache, again, isn't needed. > > > > Again, DNSSEC validation on the device requires caching. > > the question is if i gain aynthing doing it on the end-device If you need to ask this question I think you missed the whole point of DNSSEC. > have fun debugging DNS troubles of a road-warrior in your network > without realize that he brings his own DNS server Caching DNS is common on many OSs, it is nothing special really. > >> In conclusion, I don't percieve that a DNS cache in Fedora is a good > >> idea, as it solves few real world problems, and may in fact create > >> issues, mask issues and create a bad stigma about Fedora network > >> reliability. If it is to become available to users I would like: > > > > I believe you will need to re-think that in light of running a > > validating DNSSEC resolver on your laptop or servers. > > no Oh yeah, you have to. You may decide you do not like it. That is fine, but DNSSEC does change things slightly and, IMHO, for the better. > >> * DNS cache is not the default. It bust be enabled on a connection (IE > >> user's in case 1 can enable it if needed) Just to answer William too, I do not think you brought any evidence that this would not be a good default. On the contrary in base OS we've felt for a long time now the need for it. It is a pain to do without a decent cache, and nscd is not it! > >> * DNS cache should be able to be enabled from the NM Gui A way to toggle it on and off is not a bad idea, but I do not think it needs to be a requirement. Turning off the unbound service is not exactly difficult. > >> * DNS cache should be able to be flushed live from the NM Gui I totally agree there should be a way to flush the cache, I am not sure it makes sense to have it in the GUI, certainly nm-cli (or other command) should offer it. > >> * DNS cache should be flushed on route or interface state change. I do not see why, the only reason to flush a cache is when there is a DNS change (new interface, eg VPN coming up, or going away) > >> * If two interfaces are active, the default route DNS cache setting > >> takes precedence. This would break VPNs, which are often not the default route. What you want is to send arbitrary queries to the default DNS, and have forwarders per domain for special interfaces like VPNs (unless in the configuration you establish that all DNS traffic should go over the VPN when you connect). > > You cannot separate dns cache from DNSSEC. DNS caching is not a problem, > > it is a feature. If you don't want your records cached, use ttl=0 > > the cache already is running in my LAN for good reasons That's a different cache, however if you feel strongly you will be able to turn off the local caching dns server on your machines, at your option. > that DNS cache is pushed with DHCP Forwarders are pushed via DHCP, not caches. > that DNS cache already does DNSSEC validation Which is useless in the *general* case. You may think your physical security is perfect, that;s great, but for everybody else, trusting the network is not ok, that's why more an more people de[ploy TLS or GSSAPI in internal networks too. The era of the clear text trusted private network is coming to an end, whether you like it or not. > if you don't trust the network itself you are lost anyways Let me troll a bit, this is why you do all your banking without HTTPS ? :-) I am strongly in favor of a DNS cache on Fedora, and I would even seriously consider any proposal of making it the default on Fedora Server too. Regards, Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
