default local DNS caching name server

Bruno Wolff III bruno at wolff.to
Fri Apr 11 21:06:10 UTC 2014


On Fri, Apr 11, 2014 at 16:59:05 -0400,
   Paul Wouters <paul at nohats.ca> wrote:
>On Fri, 11 Apr 2014, Bruno Wolff III wrote:
>
>If you don't know there is an exception for a domain (eg at the other
>end of a VPN) than you will get the public answers and might not get
>where you need to go. Additionally, with DNSSEC there is the problem
>that the public view cryptographically proves the internal view does not
>exist (eg internal.fedoraproject.org)

With an iterative resolver that may not be true. If the route to the 
name server that has that information is over the VPN (so that you 
have the correct source address), you should get the right answer.

>Indeed, with DNSSEC we can use them as cache, because we can validate
>the answers. But those servers should never be "trusted".

That doesn't get you the right answers though, it only tells you that 
they are lying.


More information about the devel mailing list