On Sun, Oct 27, 2013 at 12:08 AM, Thomas Goirand wrote:
> I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
I've been running this configuration for a while (using unbound on my
laptop) and during my recent travels in Europe I discovered networks
that are problematic in som
Op 03-11-13 19:05, Marko Randjelovic schreef:
> On Sun, 3 Nov 2013 12:32:40 +0100
> Bastian Blank wrote:
>
>> On Sun, Nov 03, 2013 at 11:15:36AM +0100, Marko Randjelovic wrote:
>>> Just to say we should not expect to much from DNSSEC because DNSSEC is
>>> centralized:
>>
>> Could you explain the
Op 03-11-13 16:21, Thomas Goirand schreef:
> On 10/30/2013 10:56 PM, Wouter Verhelst wrote:
>> At any rate, my main point was that we should not default to using a
>> system-local recursive resolver which ignores the ISP-provided one, just
>> because that's the "easiest" way to do DNSSEC these days
That's a just a load of crap (decentralize everything, yeah!) and has
nothing to do with DNSSEC really.
The problem of P2P DNS and why it can't work was already explained
several times, f.e. read here for nice summary from Paul Wouters:
https://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the
On Sun, 3 Nov 2013 12:32:40 +0100
Bastian Blank wrote:
> On Sun, Nov 03, 2013 at 11:15:36AM +0100, Marko Randjelovic wrote:
> > Just to say we should not expect to much from DNSSEC because DNSSEC is
> > centralized:
>
> Could you explain the problems you see a bit more verbose?
>
> > https://g
On 10/30/2013 10:56 PM, Wouter Verhelst wrote:
> At any rate, my main point was that we should not default to using a
> system-local recursive resolver which ignores the ISP-provided one, just
> because that's the "easiest" way to do DNSSEC these days.
Correct, that's not the *only* reason! :)
An
On Sun, Nov 03, 2013 at 11:15:36AM +0100, Marko Randjelovic wrote:
> Just to say we should not expect to much from DNSSEC because DNSSEC is
> centralized:
Could you explain the problems you see a bit more verbose?
> https://gnunet.org/uva2013
This is just an announcement and nothing about DNSSE
Just to say we should not expect to much from DNSSEC because DNSSEC is
centralized:
https://gnunet.org/uva2013
--
http://mr.flossdaily.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
Op 29-10-13 17:35, Ian Jackson schreef:
> Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive
> resolver"):
>> There is nothing in DNSSEC which makes it inherently incompatible with
>> using DNS forwarders. Talking to the root DNS servers is
On Tue, Oct 29, 2013, at 17:35, Ian Jackson wrote:
> Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default
> recursive resolver"):
> > There is nothing in DNSSEC which makes it inherently incompatible with
> > using DNS forwarders. Talking to the roo
Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive
resolver"):
> There is nothing in DNSSEC which makes it inherently incompatible with
> using DNS forwarders. Talking to the root DNS servers is fun and all,
> but there's really no good reason w
On 2013-10-29 22:03:59 (+0800), Thomas Goirand wrote:
> On 10/29/2013 03:42 AM, Wouter Verhelst wrote:
> > There's also no reason why you _need_ a local DNS server to be able to
> > do DNSSEC resolving; you can theoretically use a stub resolver (though
> > I'm not sure if there's a stub resolver i
On 10/29/2013 03:42 AM, Wouter Verhelst wrote:
> Op 28-10-13 19:28, Thomas Goirand schreef:
>> So, as per the replies we've read, it seems that the only way to
>> implement DNSSEC would be to first check if it works, and if it doesn't,
>> fallback to the locally provided recursive DNS server.
>
>
Op 28-10-13 19:28, Thomas Goirand schreef:
> So, as per the replies we've read, it seems that the only way to
> implement DNSSEC would be to first check if it works, and if it doesn't,
> fallback to the locally provided recursive DNS server.
This feels upside down to me.
There is nothing in DNSSE
> So, as per the replies we've read, it seems that the only way to
> implement DNSSEC would be to first check if it works, and if it doesn't,
> fallback to the locally provided recursive DNS server.
I still think a switch on/off (whatever the default) should be
considered because if anyone decides
On 10/28/2013 10:29 PM, Adam Borowski wrote:
> On Mon, Oct 28, 2013 at 01:01:13PM +0100, Thijs Kinkhorst wrote:
>> On Sat, October 26, 2013 18:52, OndÅej Surý wrote:
>>> we can adopt dnssec-trigger
>>
>> I think it's indeed very important that a default install uses the DHCP
>> provided DNS-serve
On Mon, Oct 28, 2013 at 01:01:13PM +0100, Thijs Kinkhorst wrote:
> On Sat, October 26, 2013 18:52, OndÅej Surý wrote:
> > we can adopt dnssec-trigger
>
> I think it's indeed very important that a default install uses the DHCP
> provided DNS-servers or locally configured resolvers, because in man
On Sat, October 26, 2013 18:52, OndÅej Surý wrote:
>> The safe default is still to rely on the organizational DNS resolvers as
>> provided by DHCP or local manual configuration.
>
> we can adopt dnssec-trigger
> (https://www.nlnetlabs.nl/projects/dnssec-trigger/) for such scenarios.
I think it's
On Sat, Oct 26, 2013 at 08:57:54PM +0200, Marco d'Itri wrote:
> On Oct 26, Thomas Goirand wrote:
> > I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
> > at least in the "default" configuration (whatever that means). By this,
> I agree with the general principle, but I do n
On 10/27/2013 01:52 AM, Ondřej Surý wrote:
> I still think that the Debian should be a technology leader.
> Conservative, but technology leader. And DNSSEC adoption would help the
> case.
>
> Also the DSA has already enabled DANE (DNSSEC validated TLS certs) on
> Debian's MTAs, the postfix 2.11 wi
> On Sat, Oct 26, 2013, at 18:58, Kevin Chadwick wrote:
> > I believe the reliability (DOS) issues that DNSSEC imposes coupled with
>
> Please, not this again. If you say DNSSEC DOS issue, you must state all
> the other issues that DNS has.
>
Not really, the security issues are already catered f
On Oct 26, Thomas Goirand wrote:
> I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
> at least in the "default" configuration (whatever that means). By this,
I agree with the general principle, but I do not think that a recursive
resolver should be installed by default on
Hi Russ,
On Sat, Oct 26, 2013, at 18:20, Russ Allbery wrote:
> Thomas Goirand writes:
>
> > If this means installing a recursive DNS resolver by default (unbound
> > pops to my mind, since it has the feature by default), I'd say be it,
> > though probably that is more of an open question, and an
On Sat, Oct 26, 2013, at 18:58, Kevin Chadwick wrote:
> I believe the reliability (DOS) issues that DNSSEC imposes coupled with
Please, not this again. If you say DNSSEC DOS issue, you must state all
the other issues that DNS has.
> the low level of adoption
It's certainly more adopted than IPv6
> If I'm not mistaking (please correct me), Fedora has the feature, and
> it's been a long time they do. FreeBSD as well (they have unbound in the
> default installer). OpenBSD also removed bind and switched to unbound
> (or at least is planning on doing it, I'm not sure). Debian shouldn't be
> lef
Thomas Goirand writes:
> If this means installing a recursive DNS resolver by default (unbound
> pops to my mind, since it has the feature by default), I'd say be it,
> though probably that is more of an open question, and an implementation
> details. I personally wouldn't mind at all if the Debi
Hi,
I'd find it very nice if we had, by default, DNSSEC resolving in Debian,
at least in the "default" configuration (whatever that means). By this,
I mean that any non-experienced user would just install (or upgrade to)
Jessie, start a web browser (Chormium, Iceweasel, etc.: take your
pick...), a
27 matches
Mail list logo
