"Ryan S. Brown" <ryansb@xxxxxxxxxx> wrote: > I disagree; for server & cloud deployments it doesn't make sense to > duplicate a DNS server on *every* host, and if you care about DNSSEC > you likely already run a trusted resolver. > > The trust and management models for Server are fundamentally different > from those of Workstation, since servers don't usually get tossed in a > backpack and put on potentially-hostile coffee shop wi-fi. They also > generally try to run fewer services than a workstation. The datacenter > network is generally trusted, and a shared DNSSEC resolver makes way > more sense. > > It may be "beneficial" from a security PoV to have DNSSEC resolution, > but it isn't beneficial to have to patch 1 million copies of unbound > if a vuln is discovered instead of just a few shared resolvers for the > whole DC. Servers don't only exist in big datacenters where everything is managed by the same team of sysadmins. There are countless servers in homes and small offices around the world, connected to all sorts of more or less trustworthy networks. Some of my current customers have a single server in a collocation facility somewhere. Everything outside of the Ethernet port is managed by other people and shouldn't be trusted any more than necessary. In one of my previous jobs we had servers at multiple geographically separate collocation sites. At each site we'd rent a quarter-height rack with locked doors and install some five or so servers. The network inside the rack was trusted. Beyond the doors was the Internet. Installing redundant dedicated DNS resolvers at each site would have been overkill. The DNS servers we had were authoritative servers for our own domain. If we'd had DNSsec back then it would have made a lot of sense to validate locally on each server. For small offices and home users every little thing that needs to be configured is an additional burden, and chances are that they won't get around to learning how to configure a local validating resolver if it's not there by default. Big data centers, on the other hand, will have automated routines for installing new servers without configuring each one individually. If they choose to delegate the validation to a set of trusted DNS servers, then they can easily configure that in whatever central configuration tool they use, and be done with it. I'll refrain from saying anything about clouds and containers, but for the Server product, like for Workstation, common sense suggests that the default installation should assume as little as possible about its surroundings. It should definitely not assume that there won't ever be any adversaries in the local network when it doesn't know anything about the local network. There should therefore be a local validating DNS resolver by default, and good documentation on how to replace it with trusted external resolvers for those who want to do that. Björn Persson
Attachment:
pgpmNHYY6WmJv.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
