default local DNS caching name server

Paul Wouters paul at
Fri Apr 11 21:46:29 UTC 2014

On Fri, 11 Apr 2014, Bruno Wolff III wrote:

>> If you don't know there is an exception for a domain (eg at the other
>> end of a VPN) than you will get the public answers and might not get
>> where you need to go. Additionally, with DNSSEC there is the problem
>> that the public view cryptographically proves the internal view does not
>> exist (eg
> With an iterative resolver that may not be true. If the route to the name 
> server that has that information is over the VPN (so that you have the 
> correct source address), you should get the right answer.

Sounds like putting RFC1918 addresses in public DNS? Eww. Also, unbound
strips those out unless they come in via forwarders. But also selecting
DNS servers does not relate to routing at all, so this is confusing to

>> Indeed, with DNSSEC we can use them as cache, because we can validate
>> the answers. But those servers should never be "trusted".
> That doesn't get you the right answers though, it only tells you that they 
> are lying.

I'm not sure what you are trying to say here.


More information about the devel mailing list