On Mon, 07.12.15 10:15, Tomas Hozza (thozza@xxxxxxxxxx) wrote: > On 05.12.2015 18:57, Florian Weimer wrote: > > On 11/30/2015 05:14 PM, Jan Kurik wrote: > >> We want to have Unbound server installed and running on localhost by > >> default on Fedora systems. Where necessary, have also dnssec-trigger > >> installed and running by default > > > > Would someone please clarify the proposal if Unbound would run as a > > forwarder, or as a stand-alone recursive resolver? > > It depends on the network. If the resolvers from the DHCP are usable > for DNSSEC, then these will be used as forwarders. Nevertheless, Unbound > does the validation locally, so it will query for all the necessary > data to build the chain of trust. > > In case the network-provided resolvers are not usable for DNSSEC, then > Unbound is configured to do the recursion. > > In case this is blocked on the network, Unbound is configured to tunnel > the DNS queries to Fedora public infrastructure over TCP (80, 443) or > SSL (443), in which case this is similar to the first situation, when > Unbound forwards queries to the resolvers, but does the validation > locally. Ahum. This is another deal-breaker. It's really wrong to simply ignore local DNS servers. Just because my local company DNS server doesn't do DNSSEC it's in *no way* OK to make it impossible for me to resolve local names. You *have* to use the local DNS servers by default, even if they are crap. If you don't you break pretty much half of the setups. For example, with such a Fedora installation I couldn't even print anymore in my local network, I couldn't access my NAS anymore, and not reconfigure my router. I couldn't connect to stereo's internal web page, and neither to my internet radio's internal web page. And that's just my little home network. In a company network it's *way* worse... It's completely OK to gracefully degrade to non-DNSSEC DNS if the local DNS server cannot do it. Sure the APIs shouldn't claim it was safe, but that's about it. The idea of forwarding DNS queries to Fedora servers sounds completely non-sensical to me... Given the port numbers I assume that's even HTTP? Do you really think that Fedora is capable and willing to handle all that traffic? Are you aware of the infrastructure Google is investing to keep that 8.8.8.8 server up and running? Even if Fedora user's are a tiny tiny fraction of the number of 8.8.8.8 users, the processing power it takes for dealing with HTTPS requests is a multitude of what the 8.8.8.8 requests take... DNS and DNSSEC are designed to scale, with all its caching, forwarding, offline signing and so on. By then pushing the whole traffic through HTTPS you completely trash all that... > This is part of dnssec-trigger documentation, since it is used as the > mean to reconfigure Unbound. It would be good to mention this in the feature page. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
