Op 28-10-13 19:28, Thomas Goirand schreef: > So, as per the replies we've read, it seems that the only way to > implement DNSSEC would be to first check if it works, and if it doesn't, > fallback to the locally provided recursive DNS server.
This feels upside down to me. There is nothing in DNSSEC which makes it inherently incompatible with using DNS forwarders. Talking to the root DNS servers is fun and all, but there's really no good reason why you shouldn't use the large DNS cache on your ISP's recursive DNS server. There's also no reason why you _need_ a local DNS server to be able to do DNSSEC resolving; you can theoretically use a stub resolver (though I'm not sure if there's a stub resolver in Debian which supports doing so). Now, if your local DNS server ignores requests for RRSIG records, or sabotages DNSSEC in other ways, it might make sense to try to bypass them, possibly by running a local caching DNS server. But that should not be the first thing to do. -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526ebe2d.5080...@debian.org