F23 System Wide Change: Default Local DNS Resolver

Ryan S. Brown ryansb at redhat.com
Mon Jun 1 15:04:05 UTC 2015 

On 06/01/2015 10:37 AM, Tomas Hozza wrote:
> On 06/01/2015 03:32 PM, Matthew Miller wrote:
>> On Mon, Jun 01, 2015 at 08:03:27AM -0400, Jan Kurik wrote:
>>> People use Fedora on portable/mobile devices which are connected to
>>> diverse networks as and when required. The automatic DNS
>>> configurations provided by these networks are never trustworthy for
>>> DNSSEC validation. As currently there is no way to establish such
>>> trust.
>> Is this proposal meant to apply to Cloud and Server as well? With
>> Cloud, it's at least conventional to assume that the network
>> infrastructure provided by the provider is trustworthy (see
>> cloud-init). And Server presumably will not be running on
>> portable/mobile devices connecting to arbitrary networks. For Server,
>> there may be other advantages, but do we also want these for Cloud?
> As you can read in the Change proposal, this is part of the scope:
> "discuss with WGs in which products the change makes sense and
> what are the expectations of WGs for different Fedora products"
> 
> Yes, we think the change makes sense for Server. It is still
> beneficial from the security point of view to do the DNSSEC
> validation on Server. Even though the configuration on Server
> will be static, dnssec-trigger + unbound can be used for this.
> Otherwise it would require manual configuration from the
> administrator, to enable DNSSEC validation.

I disagree; for server & cloud deployments it doesn't make sense to
duplicate a DNS server on *every* host, and if you care about DNSSEC you
likely already run a trusted resolver.

The trust and management models for Server are fundamentally different
from those of Workstation, since servers don't usually get tossed in a
backpack and put on potentially-hostile coffee shop wi-fi. They also
generally try to run fewer services than a workstation. The datacenter
network is generally trusted, and a shared DNSSEC resolver makes way
more sense.

It may be "beneficial" from a security PoV to have DNSSEC resolution,
but it isn't beneficial to have to patch 1 million copies of unbound if
a vuln is discovered instead of just a few shared resolvers for the
whole DC.

> ...[snip]...

-- 
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list