F22 System Wide Change: Default Local DNS Resolver
Paul Wouters
pwouters at redhat.com
Mon Jan 19 18:16:10 UTC 2015
On 01/19/2015 06:16 PM, Pete Zaitcev wrote:
>> Can you tell why you're trying that. Everyone I talk to always
>> go unbound, unbound, unbound... WHY? Unbound is plain broken
>> and does not work, especially with DNSSEC.
Can you explain exactly what does not work? Some of the largest ISPs in
the US are using unbound for all their customers.
>> But I use plain
>> dnsmasq with NM, and everything works perfectly
Perfectly insecure without DNSSEC I assume. The problem is not that
unbound is bad, the problem is that people depend on DNS lies, and
using DNSSEC along with those lies is a complicated matter. So yes,
the hotspot use case is tricky.
dnssec-trigger plus unbound is not ideal. The ideal situation is NM
integrating the required dnssec-trigger support, with additional DNS
configuration properties per-connection and a selinux sandbox hotspot
login dealing with HTTP and DNS lies. Just give me a few engineers for
a few months :P
Paul
More information about the devel
mailing list