Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive resolver"): > There is nothing in DNSSEC which makes it inherently incompatible with > using DNS forwarders. Talking to the root DNS servers is fun and all, > but there's really no good reason why you shouldn't use the large DNS > cache on your ISP's recursive DNS server.
I'm afraid this is not true. The way DNSSEC is designed means that you can't "tunnel" the DNSSEC data through a forwarding nameserver which doesn't itself understand DNSSEC at least to a minimal extent. If your local forwarder doesn't do this, which is quite likely, you have to fall back to the global infrastructure - and hope it's not blocked or intercepted. > Now, if your local DNS server ignores requests for RRSIG records, or > sabotages DNSSEC in other ways, it might make sense to try to bypass > them, possibly by running a local caching DNS server. But that should > not be the first thing to do. IIRC one of the ways that DNSSEC breaks naive forwarders is that its rules for what constitutes an RRset are different to normal. It's a while since I looked at this but I could go and look at the RFCs again... Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21103.58350.86031.655...@chiark.greenend.org.uk