default local DNS caching name server

William Brown william at firstyear.id.au
Sun Apr 13 07:09:04 UTC 2014


On Sun, 2014-04-13 at 02:53 -0400, Simo Sorce wrote:
> On Sun, 2014-04-13 at 16:10 +0930, William Brown wrote:
> 
> > A system wide resolver I am not opposed to. I am against a system wide
> > *caching* resolver. 
> 
> > In this case, a cache *is* helpful, as is DNSSEC. But for the other 6, a
> > cache is a severe detriment. 
> 
> About the above 2, can you explain *why* ?
> A bunch of people here, feel that it would be a great improvement, you
> keep saying it is doomsday, yet I haven't seen a concise explanation of
> why that would be (maybe I overlooked, apologies if so).
> 
> 
> > I disable the DNS cache in firefox with developer tools. 
> 
> So you will be able to do the same by setting 1 configuration option in
> unbound, or you could disable the resolver entirely.
> 
> Can you tell why *everybody* should have the cache disabled by default ?
> 
> > Additionally, a short TTL is good, for this situation, but it can't fix
> > everything. 
> 
> Paul mentioned the single configuration option need to make your
> resolver tweak the TTL locally, what else do you need ? And again why
> your preference should be the default ? What compelling arguments can
> you make ?
> 
> Simo.

Internal and external zone views in a business. These records may
different, and so would need flushing between network interface state
changes.

Additionally, local DNS caches may issues and delay diagnosis.

It's also not *needed* in a lot of setups. The business cases were to
show that these caching layers already exist on these networks. It would
be duplication of effort.

In businesses, it's also common place to have a low-ish ttl (Say 5
minutes) and when a system is migrated, they swap the A/AAAA records to
the new system. The dns servers on the network are updated, but the
workstation has the old record cached. Without a local cache, they would
query the local server again, which is relatively cheap. IE: It keeps
users happier even if they only needed to wait 5 minutes. Some people
like things to be instant. 


It's certainly not the end of the world, but it's adding more
complexity, and a potential source of issues. 


There is additionally, some confusion: It sounds like Paul wants to add
the resolver to only forward queries for the local domain name to the
local name servers. But this is impossible to discover all possible
local domain names that are available. 


tl;dr - DNSSEC I believe is a good thing (Even if it's rare). I don't
think there are "benefits" to caching except in a minor number of cases
where existing DNS caching mechanisms aren't in place. We are adding a
layer of caching complexity that doesn't solve a real problem. 


-- 
William Brown <william at firstyear.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140413/2ad05bd6/attachment.sig>


More information about the devel mailing list