F23 System Wide Change: Default Local DNS Resolver
Paul Wouters
paul at nohats.ca
Wed Jun 3 13:03:02 UTC 2015
On Wed, 3 Jun 2015, Petr Spacek wrote:
> ???On 3.6.2015 13:45, Reindl Harald wrote:
>>> If you feel that the standard is broken then *please* continue with discussion
>>> on IETF's dnsop mailing list:
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>> come on stop trolling that way because you know exactly what i am talking
>> about by "broken client software" - the point is that with caching on each and
>> every device you lose the oppotinity clear central caches for whatever reason
>> and make the changes visible on all clients in realtime
>
> You will lose the ability because *you configured the zone with
> inappropriately long TTL*.
I have to agree with Petr here. The DNS is specifically designed so that
the producer of records can say how long things are allowed to be
cached. Chaining caches via forwarders is not against the method of the
DNS - it is the core design.
Moving the resolving and validation to the end nodes to increase
security, and DNS security is something we badly need.
Relying on aggregating DNS servers as access control for out-of-band
DNS clearing goes against the "API contract" of a DNS transaction,
which comes with a TTL condition. Plus, that assumption has always
been broken for browsers already, who keep their own cache.
Paul
More information about the devel
mailing list