Am 13.04.2014 08:42, schrieb Simo Sorce: >>>> * DNS cache should be flushed on route or interface state change. > > I do not see why, the only reason to flush a cache is when there is a > DNS change (new interface, eg VPN coming up, or going away) because if i change my routing from ISP to VPN i want to access the company severs over the VPN - any of them changing the default root is a common way for such a switch >> the cache already is running in my LAN for good reasons > > That's a different cache, however if you feel strongly you will be able > to turn off the local caching dns server on your machines, at your > option. > >> that DNS cache is pushed with DHCP > > Forwarders are pushed via DHCP, not caches says who? you or better the one built the network and services? the via DHCP pushed DNS servers are caches because they do not forward anything, they are doing recursion - if youre DNS servers are only forwarders consider to change that frankly the main reason i stepped in that thread at all is that people started to talk about recursion / forwarding without understand that both terms in case of DNS >> that DNS cache already does DNSSEC validation > > Which is useless in the *general* case. You may think your physical > security is perfect, that;s great, but for everybody else, trusting the > network is not ok, that's why more an more people de[ploy TLS or GSSAPI > in internal networks too. > The era of the clear text trusted private network is coming to an end, > whether you like it or not. > >> if you don't trust the network itself you are lost anyways > > Let me troll a bit, this is why you do all your banking without > HTTPS ? :-) that is a completly different story, you enter a HTTPS URL manually or triggered by HSTS, so you request a encrypted connection from the very first start in case of DNS there is nothing encrypted at start resolving and if i proper manipulate the network you are in i hide any DNSSEC response from you (deep packet inspection) > I am strongly in favor of a DNS cache on Fedora, and I would even > seriously consider any proposal of making it the default on Fedora > Server too as long as it is not a hard wired dependency..... i don't need additional DNS servers on any system the systems are running BIND are doing that with good reasons the systems running Unbound as local cache doing that for good reasons (MTA servers) the systems running dnsmasq are doing it for good reasons (Reverse-proxy with own DNS view)
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
