F22 System Wide Change: Default Local DNS Resolver

Tue Jan 13 19:56:49 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> To install a local DNS resolver trusted for the DNSSEC validation
> running on 127.0.0.1:53. This must be the only name server entry
> in /etc/resolv.conf.

.... snip ...

> People use Fedora on portable/mobile devices which are connected to
> diverse networks as and when required. The automatic DNS
> configurations provided by these networks are never trustworthy for
> DNSSEC validation. As currently there is no way to establish such
> trust.
> 

I have a number of concerns about the "readiness" of the proposal.

Right now, enabled unbound and dnssec-trigger on a laptop is an
extremely difficult experience. I have since taking up this challenge
found that turn it off and on again, has become the default solution on
my linux install now as a result of these problems.

For example, crashes in unbound that are not caught in abrt, forwarders
that do not get added (but they display in the list), queries that
don't ever get replies (But they work when you by-pass unbound to your
glibc forwarder), inability to flush dnscache without sudo, and that
dns caches are held over network boundaries to name a few of my
concerns.

As a result, at this time, enabling this on your system is actually
more of a deteriment that the "benefit" being touted. I would prefer
working DNS over non working "secure" dns. (I guess it's secure because
I can send any traffic out).

> Apart from trust, these name servers are often known to be flaky and 
> unreliable. Which only adds to the overall bad and at times even
> frustrating user experience. In such a situation, having a trusted
> local DNS resolver not only makes sense but is in fact badly needed.
> It has become a need of the hour. (See: [1], [2], [3])

Unbound creates more flakiness than it solves. Unbound caches "no
answer" as a negative cache entry. If your wireless blips for an
instant, that's it, result vanishes.

I think that there should be a large amount of QA focus on this change. 
Configurations involving split-view dns should be involved in testing,
testing stability of unbound between suspend/resume, or even
NetworkManager restarts, testing that quieries resolve in esoteric
networks (IE networks that capture and redirect DNS traffic).

This is a change, that currently, has the potential to seriously damage
the user experience of anyone using fedora. I think that much more
rigorous testing and thought should go into this before we just steam
ahead. If in it's current state you install unbound, you will begin to
notice little issues quickly, especially on laptops. That is not a
defalt we should aim for.

NOTE: I'm not just raging here, I actually have opened BZ's for these
issues that I have. I think that awareness of these issues is low, and
that it should be brought to light. I hope that more thorough testing
is carried out in a wider set of environments to eventually get this to
a point where it's a seamless change to enable this service. However at
this time, that is not the case.

- -- 
Sincerely,

William Brown

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUtQq/AAoJEO/EFteBqAmav6QP/iol4/Mk9VGWJDFIuUqlDPDH
gHFtlFw3DnFQvQ6bZZXWQLOCQ058ao5fuaRAnr1cxu7cFbrdqnZtYC8cry4SbRGs
EQsA2OziHdcULnBxWRXF7JgCJx1785A1TzYLduPb7GnxHteWEZFVHF4DvYvEHHa+
5/gTZoG8SdlzKTWx5NDzjOlwYw0KlF9tLOP1afOsmDGiMPyDBqRADJxJO0dvFmQ+
sxNziW+0RJ98jhrQnhyvBvf6P2Txb5B/KM/1KUysiR0UcVa0r/ta/bPD1AEnOOSK
a/bwju78zSohdrYpsCgJdlj5ccBDSiLtURNS9R/lYgBgU+IjcmkpBp0VKrrurnvF
579vCjoKo7eUx0SE9c8rb19RtbilrqItWrxe2laSGU5M8BWB35uPzGApbGEJNbmQ
7Em7SBkXzbwHuPDVDE7Qahh8bEAj8ExN8iUzaqa4THX+NrUVWWPahg+KvWdM0zPS
LtOHjOP8PoIfzxVLC8Cw+pp1CBVqOTLjFgkEy9aFNecI50FtGKxoV3OZyRzhv0iv
iRbsSQrMOlzfHVGZjtDBGrDygs/LDjMCgKJs9k9tjH9upHPDR34KA1KVhrrz985y
PKEBOW+El9tbCwKGOJ5WVGWDR/+fo3BCb6C+zow0x2jLHXa4XQI4rQKcXBD5FM7M
KAHX33yz8C0KqFkdVo79
=xIFE
-----END PGP SIGNATURE-----