default local DNS caching name server

William Brown william at firstyear.id.au
Sun Apr 13 07:11:21 UTC 2014


On Sun, 2014-04-13 at 16:39 +0930, William Brown wrote:
> On Sun, 2014-04-13 at 02:53 -0400, Simo Sorce wrote:
> > On Sun, 2014-04-13 at 16:10 +0930, William Brown wrote:
> > 
> > > A system wide resolver I am not opposed to. I am against a system wide
> > > *caching* resolver. 
> > 
> > > In this case, a cache *is* helpful, as is DNSSEC. But for the other 6, a
> > > cache is a severe detriment. 
> > 
> > About the above 2, can you explain *why* ?
> > A bunch of people here, feel that it would be a great improvement, you
> > keep saying it is doomsday, yet I haven't seen a concise explanation of
> > why that would be (maybe I overlooked, apologies if so).
> > 
> > 
> > > I disable the DNS cache in firefox with developer tools. 
> > 
> > So you will be able to do the same by setting 1 configuration option in
> > unbound, or you could disable the resolver entirely.
> > 
> > Can you tell why *everybody* should have the cache disabled by default ?
> > 
> > > Additionally, a short TTL is good, for this situation, but it can't fix
> > > everything. 
> > 
> > Paul mentioned the single configuration option need to make your
> > resolver tweak the TTL locally, what else do you need ? And again why
> > your preference should be the default ? What compelling arguments can
> > you make ?
> > 
> > Simo.
> 
> Internal and external zone views in a business. These records may
> different, and so would need flushing between network interface state
> changes.
> 
> Additionally, local DNS caches may issues and delay diagnosis.
> 
> It's also not *needed* in a lot of setups. The business cases were to
> show that these caching layers already exist on these networks. It would
> be duplication of effort.
> 
> In businesses, it's also common place to have a low-ish ttl (Say 5
> minutes) and when a system is migrated, they swap the A/AAAA records to
> the new system. The dns servers on the network are updated, but the
> workstation has the old record cached. Without a local cache, they would
> query the local server again, which is relatively cheap. IE: It keeps
> users happier even if they only needed to wait 5 minutes. Some people
> like things to be instant. 
> 
> 
> It's certainly not the end of the world, but it's adding more
> complexity, and a potential source of issues. 
> 
> 
> There is additionally, some confusion: It sounds like Paul wants to add
> the resolver to only forward queries for the local domain name to the
> local name servers. But this is impossible to discover all possible
> local domain names that are available. 
> 
> 
> tl;dr - DNSSEC I believe is a good thing (Even if it's rare). I don't
> think there are "benefits" to caching except in a minor number of cases
> where existing DNS caching mechanisms aren't in place. We are adding a
> layer of caching complexity that doesn't solve a real problem. 
> 
> 

PS: It also seemed like the proposal was to *bypass* the networks
provided forwarders from DHCP. This *is* a serious issue if it's the
case. 

-- 
William Brown <william at firstyear.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140413/9f6b0bda/attachment-0001.sig>


More information about the devel mailing list