Em 28-04-2014 02:39, P J P escreveu:
Hi,
(sorry for the delayed response, I was away past few days)
2014-04-26 0:51 GMT+02:00 Chuck Anderson wrote:
Main goal is to have local DNSSEC-validating resolver.
I, as the OP, did not intend that as the goal, although I have no
problem with that as a different goal. My intent was to fix the
atrocious failover behavior of the glibc resolver.
Agreed. There are several reasons to have a local DNS resolvers. Nonetheless, one solution may not address all use cases. For that reason, one of the requisites gathered from the earlier long thread is
+ Choice between different DNS resolvers - unbound, bind, dnsmasq, dnslookupd etc. etc.
- you would want to have plugins for those in NetworkManager
- Right.
Please see -> https://www.piratepad.ca/p/dnssec-requisites-configurations
Speaking of which, I am not sure how dnsmasq plays with DNSSEC and/or
failover, but NetworkManager already has a config option
(/etc/NetworkManager/NetworkManager.conf, dns=dnsmasq) that makes it
configure a local dnsmasq instance on 127.0.0.1 for handling DNS
requests. The dnsmasq then is the one who will go after the real servers
& all..
Isn't making this the default way enough perhaps?
Marcelo
As Miloslav rightly said, supporting each new DNS resolver would entail resolver specific integration work and relevant upstream development work.
We plan to do our _best_ to address maximum use cases and provide due guidance for the others. But for that, it is essential to gather first hand data and list down all the DNS resolver use cases across desktops/servers/workstations/thin clients/data centres/cloud/containers etc. etc. Anything and everything that uses DNS resolver, we need to know about it. Having such data would _greatly_ help to device a robust solution.
Please help us by spreading the word about it, so that we have more & more real life data on that ether pad. That way we can estimate the amount of work to be done and invite contributors to take-up individual tasks. More hands together can easily make huge difference.
On Saturday, 26 April 2014 4:29 AM, Miloslav Trmač wrote:
Right now I'd actually guess that it's more likely to have a DNSSEC-validating resolver soon,
than the simple caching daemon you propose. Specific people are already dedicated to working
on the former, and the principal elements of the solution already exist;
what is left is (a large amount of) integration work. And that will also inherently handle
the caching/failover case "for free".
Very true!
---
Regards
-Prasad
http://feedmug.com
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct