On Sun, 2014-04-13 at 02:53 -0400, Simo Sorce wrote: > On Sun, 2014-04-13 at 16:10 +0930, William Brown wrote: > > > A system wide resolver I am not opposed to. I am against a system wide > > *caching* resolver. > > > In this case, a cache *is* helpful, as is DNSSEC. But for the other 6, a > > cache is a severe detriment. > > About the above 2, can you explain *why* ? > A bunch of people here, feel that it would be a great improvement, you > keep saying it is doomsday, yet I haven't seen a concise explanation of > why that would be (maybe I overlooked, apologies if so). > > > > I disable the DNS cache in firefox with developer tools. > > So you will be able to do the same by setting 1 configuration option in > unbound, or you could disable the resolver entirely. > > Can you tell why *everybody* should have the cache disabled by default ? > > > Additionally, a short TTL is good, for this situation, but it can't fix > > everything. > > Paul mentioned the single configuration option need to make your > resolver tweak the TTL locally, what else do you need ? And again why > your preference should be the default ? What compelling arguments can > you make ? > > Simo. Internal and external zone views in a business. These records may different, and so would need flushing between network interface state changes. Additionally, local DNS caches may issues and delay diagnosis. It's also not *needed* in a lot of setups. The business cases were to show that these caching layers already exist on these networks. It would be duplication of effort. In businesses, it's also common place to have a low-ish ttl (Say 5 minutes) and when a system is migrated, they swap the A/AAAA records to the new system. The dns servers on the network are updated, but the workstation has the old record cached. Without a local cache, they would query the local server again, which is relatively cheap. IE: It keeps users happier even if they only needed to wait 5 minutes. Some people like things to be instant. It's certainly not the end of the world, but it's adding more complexity, and a potential source of issues. There is additionally, some confusion: It sounds like Paul wants to add the resolver to only forward queries for the local domain name to the local name servers. But this is impossible to discover all possible local domain names that are available. tl;dr - DNSSEC I believe is a good thing (Even if it's rare). I don't think there are "benefits" to caching except in a minor number of cases where existing DNS caching mechanisms aren't in place. We are adding a layer of caching complexity that doesn't solve a real problem. -- William Brown <william@xxxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
