On Tue, Oct 29, 2013, at 17:35, Ian Jackson wrote: > Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default > recursive resolver"): > > There is nothing in DNSSEC which makes it inherently incompatible with > > using DNS forwarders. Talking to the root DNS servers is fun and all, > > but there's really no good reason why you shouldn't use the large DNS > > cache on your ISP's recursive DNS server. > > I'm afraid this is not true. The way DNSSEC is designed means that > you can't "tunnel" the DNSSEC data through a forwarding nameserver > which doesn't itself understand DNSSEC at least to a minimal extent. > > If your local forwarder doesn't do this, which is quite likely, you > have to fall back to the global infrastructure - and hope it's not > blocked or intercepted.
There are even ways how to tunnel DNS through TLS on top of TCP/443. (Ugly but effective as last resort.) > > Now, if your local DNS server ignores requests for RRSIG records, or > > sabotages DNSSEC in other ways, it might make sense to try to bypass > > them, possibly by running a local caching DNS server. But that should > > not be the first thing to do. > > IIRC one of the ways that DNSSEC breaks naive forwarders is that its > rules for what constitutes an RRset are different to normal. It's a > while since I looked at this but I could go and look at the RFCs > again... That's true. O. -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1383065010.12113.40313685.265ea...@webmail.messagingengine.com