default local DNS caching name server

Simo Sorce simo at redhat.com
Sun Apr 13 06:42:55 UTC 2014


On Sun, 2014-04-13 at 06:35 +0200, Reindl Harald wrote:

> and if you believe that in a not trustable network you don't
> know if you get the signing informations at all - fine, but
> you hardly an enforce that with a local software

That is the WHOLE point of DNSSEC, really.

> if i control the network i control the whle traffic and without
> your own satellite link you can't change that

It is not necessary, integrity protection allows me to find out if my
traffic is getting through or not. If not, though luck.

> >> Case 4, 5, 6 and 7: DNS cache, again, isn't needed.
> > 
> > Again, DNSSEC validation on the device requires caching.
> 
> the question is if i gain aynthing doing it on the end-device

If you need to ask this question I think you missed the whole point of
DNSSEC.

> have fun debugging DNS troubles of a road-warrior in your network
> without realize that he brings his own DNS server

Caching DNS is common on many OSs, it is nothing special really.

> >> In conclusion, I don't percieve that a DNS cache in Fedora is a good
> >> idea, as it solves few real world problems, and may in fact create
> >> issues, mask issues and create a bad stigma about Fedora network
> >> reliability. If it is to become available to users I would like:
> > 
> > I believe you will need to re-think that in light of running a
> > validating DNSSEC resolver on your laptop or servers.
> 
> no

Oh yeah, you have to. You may decide you do not like it. That is fine,
but DNSSEC does change things slightly and, IMHO, for the better.

> >> * DNS cache is not the default. It bust be enabled on a connection (IE
> >> user's in case 1 can enable it if needed)

Just to answer William too, I do not think you brought any evidence that
this would not be a good default. On the contrary in base OS we've felt
for a long time now the need for it. It is a pain to do without a decent
cache, and nscd is not it!

> >> * DNS cache should be able to be enabled from the NM Gui

A way to toggle it on and off is not a bad idea, but I do not think it
needs to be a requirement. Turning off the unbound service is not
exactly difficult.

> >> * DNS cache should be able to be flushed live from the NM Gui

I totally agree there should be a way to flush the cache, I am not sure
it makes sense to have it in the GUI, certainly nm-cli (or other
command) should offer it.

> >> * DNS cache should be flushed on route or interface state change.

I do not see why, the only reason to flush a cache is when there is a
DNS change (new interface, eg VPN coming up, or going away)

> >> * If two interfaces are active, the default route DNS cache setting
> >> takes precedence.

This would break VPNs, which are often not the default route. What you
want is to send arbitrary queries to the default DNS, and have
forwarders per domain for special interfaces like VPNs (unless in the
configuration you establish that all DNS traffic should go over the VPN
when you connect).

> > You cannot separate dns cache from DNSSEC. DNS caching is not a problem,
> > it is a feature. If you don't want your records cached, use ttl=0
> 
> the cache already is running in my LAN for good reasons

That's a different cache, however if you feel strongly you will be able
to turn off the local caching dns server on your machines, at your
option.

> that DNS cache is pushed with DHCP

Forwarders are pushed via DHCP, not caches.

> that DNS cache already does DNSSEC validation

Which is useless in the *general* case. You may think your physical
security is perfect, that;s great, but for everybody else, trusting the
network is not ok, that's why more an more people de[ploy TLS or GSSAPI
in internal networks too.
The era of the clear text trusted private network is coming to an end,
whether you like it or not.

> if you don't trust the network itself you are lost anyways

Let me troll a bit, this is why you do all your banking without
HTTPS ? :-)


I am strongly in favor of a DNS cache on Fedora, and I would even
seriously consider any proposal of making it the default on Fedora
Server too.


Regards,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the devel mailing list