On Sun, 2014-04-13 at 16:39 +0930, William Brown wrote: > On Sun, 2014-04-13 at 02:53 -0400, Simo Sorce wrote: > > On Sun, 2014-04-13 at 16:10 +0930, William Brown wrote: > > > > > A system wide resolver I am not opposed to. I am against a system wide > > > *caching* resolver. > > > > > In this case, a cache *is* helpful, as is DNSSEC. But for the other 6, a > > > cache is a severe detriment. > > > > About the above 2, can you explain *why* ? > > A bunch of people here, feel that it would be a great improvement, you > > keep saying it is doomsday, yet I haven't seen a concise explanation of > > why that would be (maybe I overlooked, apologies if so). > > > > > > > I disable the DNS cache in firefox with developer tools. > > > > So you will be able to do the same by setting 1 configuration option in > > unbound, or you could disable the resolver entirely. > > > > Can you tell why *everybody* should have the cache disabled by default ? > > > > > Additionally, a short TTL is good, for this situation, but it can't fix > > > everything. > > > > Paul mentioned the single configuration option need to make your > > resolver tweak the TTL locally, what else do you need ? And again why > > your preference should be the default ? What compelling arguments can > > you make ? > > > > Simo. > > Internal and external zone views in a business. These records may > different, and so would need flushing between network interface state > changes. > > Additionally, local DNS caches may issues and delay diagnosis. > > It's also not *needed* in a lot of setups. The business cases were to > show that these caching layers already exist on these networks. It would > be duplication of effort. > > In businesses, it's also common place to have a low-ish ttl (Say 5 > minutes) and when a system is migrated, they swap the A/AAAA records to > the new system. The dns servers on the network are updated, but the > workstation has the old record cached. Without a local cache, they would > query the local server again, which is relatively cheap. IE: It keeps > users happier even if they only needed to wait 5 minutes. Some people > like things to be instant. > > > It's certainly not the end of the world, but it's adding more > complexity, and a potential source of issues. > > > There is additionally, some confusion: It sounds like Paul wants to add > the resolver to only forward queries for the local domain name to the > local name servers. But this is impossible to discover all possible > local domain names that are available. > > > tl;dr - DNSSEC I believe is a good thing (Even if it's rare). I don't > think there are "benefits" to caching except in a minor number of cases > where existing DNS caching mechanisms aren't in place. We are adding a > layer of caching complexity that doesn't solve a real problem. > > PS: It also seemed like the proposal was to *bypass* the networks provided forwarders from DHCP. This *is* a serious issue if it's the case. -- William Brown <william@xxxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
