On 06/01/2015 01:55 PM, Jason L Tibbitts III wrote: >>>>>> "RSB" == Ryan S Brown <ryansb@xxxxxxxxxx> writes: > > RSB> I disagree; for server & cloud deployments it doesn't make sense to > RSB> duplicate a DNS server on *every* host, and if you care about > RSB> DNSSEC you likely already run a trusted resolver. > > I disagree generally in the case of server deployments. > > Having a local caching resolver is pretty much essential, even though we > all know it's just a workaround for glibc. > > Basically, if you have properly functioning DNS on multiple local > servers but not having anything fancier like heartbeat-based IP handoff > or a load balancing appliance or something, and the first resolver in > resolv.conf goes offline, your hosts are screwed. glibc's resolver code > is simply horrible. This is completely exclusive of DNSSEC issues. I don't think it's essential for either the server or the cloud product. Servers run in a much more reliable network than your average SOHO or coffee shop setup, and their behavior with regard to DNS doesn't need a local caching resolver. LAN DNS (probably with split horizon for DC-internal services) is plenty fast and reliable, there isn't a need to run a zillion instances of Unbound. Also, I've run redundant LAN DNS servers in fairly large deployments, and ns1 going down certainly hasn't "screwed" my hosts. > Of course, most folks who have enough infrastructure to have their own > DNS servers and such can easily figure out how to configure a local > resolver if need be, so what's in the default setup really makes no > difference. And for the home user who might want to grab the server > spin/product/whatever-we're-calling-it-this-week, well, I'd think they'd > want the local resolver. I don't think so -- when I pull a fresh server image I expect there to be very little running on it. A local DNS resolver would certainly be a surprise to me. Again, this comes back to the expectation that a server isn't hopping networks or running somewhere un-trusted where there's a high risk of bad actors. > What really concerns me is what happens with split DNS. I assume I'll > just need to configure the local resolvers to talk only to my resolvers, > but this would really need to be documented. -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
