F22 System Wide Change: Default Local DNS Resolver

Tomas Hozza thozza at redhat.com
Mon Jan 19 17:59:24 UTC 2015 

On 01/19/2015 06:16 PM, Pete Zaitcev wrote:
> On Wed, 14 Jan 2015 06:26:49 +1030
> William B <william at firstyear.id.au> wrote:
>
> > Right now, enabled unbound and dnssec-trigger on a laptop is an
> > extremely difficult experience.
>
> Can you tell why you're trying that. Everyone I talk to always
> go unbound, unbound, unbound... WHY? Unbound is plain broken
> and does not work, especially with DNSSEC. But I use plain
> dnsmasq with NM, and everything works perfectly and fully automated
> by NM on my F21 laptop -- including VPN (with vpnc, no less), my internal
> LAN DNS, airports, office. Perhaps that's only because dnsmasq fails
> to participate in DNSSEC properly? Or what? Why is everyone so
> fixated on Unbound?
>
> -- Pete
>

Unbound is designed to do one thing and do it right. To be used
on client as default local resolver it needs something to configure
it ~ dnssec-trigger. (e.g. dnsmasq is directly configured by NM)

Unbound + dnssec-trigger + NM works just fine. Also with split DNS
configuration. I use it every day at home, at work, with VPN. It
works.

I'm not saying there are any use-cases where it breaks, but those need
to be identified and solved. Writing non-technical complains with
zero information for developer in it will get us nowhere.

People want to use unbound, because it does DNSSEC validation.
dnsmasq had no DNSSEC implementation at the time there was already
unbound and dnssec-trigger.

If you use any resolver without DNSSEC the overall situation is
a lot simpler. DNSSEC simply does not work with all the hacks
people were doing with DNS before.

As for unbound vs. dnsmasq... unbound does one thing - DNS validating
resolver. While dnsmasq does almost everything (DNS resolver, validating
resolver, DNS authoritative server, DHCPv4/DHCPv6 server, TFTP server)
and has tons of hackish options. From this point of view, the choice
is pretty clear I think.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com

More information about the devel mailing list