F23 System Wide Change: Default Local DNS Resolver
Paul Wouters
paul at nohats.ca
Tue Jun 2 16:44:00 UTC 2015
On Tue, 2 Jun 2015, David Howells wrote:
>> Install a local DNS resolver trusted for the DNSSEC validation running on
>> 127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf.
>>
>> The automatic name server entries received via dhcp/vpn/wireless
>> configurations should be stored separately (e.g. this is stored in the
>> NetworkManager internal state), as transitory name servers to be used by the
>> trusted local resolver. In all cases, DNSSEC validation will be done
>> locally.
>
> How does this interact with dnsmasq which also wants to be the only name
> server entry in resolv.conf?
Not well? The problem is dnsmasq is not as feature complete as unbound
(and its dnssec implementation is very new).
I think most people end up running dnsmasq because of KVM/libvirtd ? I
think those dnsmasq's should be run in "dhcp only" mode and point to
the hosts's unbound.
Paul
More information about the devel
mailing list