On Mon, 7 Dec 2015, Lennart Poettering wrote:
In case this is blocked on the network, Unbound is configured to tunnel
the DNS queries to Fedora public infrastructure over TCP (80, 443) or
SSL (443), in which case this is similar to the first situation, when
Unbound forwards queries to the resolvers, but does the validation
locally.
Ahum. This is another deal-breaker. It's really wrong to simply ignore
local DNS servers. Just because my local company DNS server doesn't do
DNSSEC it's in *no way* OK to make it impossible for me to resolve
local names.
You *have* to use the local DNS servers by default, even if they are
crap.
You can't, thanks to hotels and coffeeshops.
If your DHCP supplied DNS servers work, then these will be used as
forwarders, and you can have your own zone, provided you are not
squatting on the namespace of someone else and it will work fine.
If you don't you break pretty much half of the setups. For
example, with such a Fedora installation I couldn't even print anymore
in my local network,
This feature should not affect .local, so you should be able to find
your printer fine?
I couldn't access my NAS anymore, and not
reconfigure my router. I couldn't connect to stereo's internal web
page, and neither to my internet radio's internal web page. And that's
just my little home network. In a company network it's *way* worse...
If you use your own domain name for that, all of it will still work. And
even without FQDN if you put the right search domains in DHCP.
It's completely OK to gracefully degrade to non-DNSSEC DNS if the
local DNS server cannot do it.
No it is not. coffee shop, hotel network......
The idea of forwarding DNS queries to Fedora servers sounds completely
non-sensical to me...
Given the port numbers I assume that's even HTTP?
No it is raw DNS on port 80.
The fedora DNS servers are a "last ditch" effort. If that is needed in
your network, you have accumulated several deficiencies you should fix:
- don't use broken DNS servers (in other words, yum|dnf update on your dns
server)
- don't block port 53 to the internet
- don't screw up UDP 53 fragments or TCP port 53, or drop >512byte DNS
packets
If you do all of that, you deserve broken DNS, and I only feel sorry
that house of cards did not come down sooner to help you.
Do you really think that Fedora is capable and willing to handle all
that traffic?
It is expected to be extremely rare this is needed. When the IETF drafts
for DNSoverTLS are implemented (eg on 8.8.8.8) we suspect it will never
be needed again.
Are you aware of the infrastructure Google is investing
to keep that 8.8.8.8 server up and running? Even if Fedora user's are
a tiny tiny fraction of the number of 8.8.8.8 users, the processing
power it takes for dealing with HTTPS requests is a multitude of what
the 8.8.8.8 requests take...
It's TLS without any validation. It's just to get through stupid
networks blocking legitimate traffic AND having a DNSSEC-broken
(years old!) DNS server running.
DNS and DNSSEC are designed to scale, with all its caching,
forwarding, offline signing and so on. By then pushing the whole
traffic through HTTPS you completely trash all that...
It should never happen on networks that normal people build.
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
