default local DNS caching name server

Simo Sorce simo at
Sun Apr 13 17:16:13 UTC 2014

On Sun, 2014-04-13 at 16:29 +0930, William Brown wrote:
> > That depends. You need caching for DNSSEC validation, so really,
> every
> > device needs a cache, unless you want to outsource your DNSSEC
> > validation over an insecure transport (LAN). That seems like a very
> bad
> > idea.
> If your lan is insecure, you have other issues. That isn't the problem
> you are trying to solve. 
I keep seeing this repeated by you and Harald.
I am truly in awe that your networks are *secure*, however that is not
the common case, networks are routinely breached by zombified machines
or are insecure by default (wifi, or very large networks where anyone
can plug in). Basically if any of the machines on the network can be
compromised the network is not secure anymore. Finally you can't
certainly trust network as large as common ISPs.

All these networks need to be treated as insecure by default. You cannot
trust a DNS server not on your machine to do DNSSEC resolution for you
or, as soon as you want to start using DANE, TLSA, etc.. you are a
sitting duck, and people will be able to MITM you extremely easily.

The default needs to cater for these issues. But of course it is just a
default, on your network you'll be able to change the resolvers however
you want.

The only thing I agree on is that the default MUST use the forwarders
provided by the local DHCP unless the user explicitly configured


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list