From: Dave Taht <dave.taht@gmail.com>
To: "Török Edwin" <edwin+ml-cerowrt@etorok.net>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
Date: Sun, 13 Apr 2014 08:04:35 -0700 [thread overview]
Message-ID: <CAA93jw7TBE4XQr85k=PGneZ8bixZDeCu+S+jV=XPBvTKMmoQRg@mail.gmail.com> (raw)
In-Reply-To: <534A420C.4020102@etorok.net>
On Sun, Apr 13, 2014 at 12:51 AM, Török Edwin
<edwin+ml-cerowrt@etorok.net> wrote:
> On 04/13/2014 07:26 AM, Dave Taht wrote:
>> I am delighted that we have the capability now to do dnssec.
>>
>> I am not surprised that various domain name holders are doing it
>> wrong, nor that some ISPs and registrars don't support doing it
>> either. We are first past the post here, and kind of have to expect
>> some bugs...
>>
>> but is the overall sense here:
>>
>> A) we should do full dnssec by default, and encourage users to use
>> open dns resolvers like google dns that support it when their ISPs
>> don't?
>
> There are people who don't use Google DNS due to privacy concerns.
> Given the choice between not using DNSSEC, and using Google's DNS they might prefer not having DNSSEC.
Good point.
Well there is also dnscrypt and opendns. There's a (broken) dnscrypt
packaging attempt in ceropackages.
>
>>
>> B) or should we fall back to the previous partial dnssec
>> implementation that didn't break as hard, and encourage folk to turn
>> it up full blast if supported correctly by the upstream ISP?
>>
>> C) or come up with a way of detecting a broken upstream and falling
>> back to a public open resolver?
>>
>> Is there a "D"?
>
> There are some tests described here, and a 'dynamic fallback' technique in section 5:
> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-00
>
> I think the 'dynamic fallback' can be described in short as: try to use upstream DNS resolver,
> and if you don't get the DNSSEC metadata that you expected, *then* eventually fallback to iterating from Root for that metadata.
Which only works for a full blown local resolver. In the dnsmasq case
the switch would have to be another open dns resolver.
We could iterate over a list of open dns resolvers to find the best one.
> So then A/AAAA/TXT/NS/etc. records would be answered by upstream, and only for the DNSSEC metadata you would need to iterate
> (and you could cache that, or stop iterating if you realize the zone is unsigned as per section 5.1.1)
Maybe there could be a "dnssec-fallback-resolver" setting in dnsmasq,
that it could fall back to if a known-not-to-resolve-properly domain
can't do a proof of non-existence properly?
bork.bork.bork.bork.example.org
> Best regards,
> --Edwin
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
next prev parent reply other threads:[~2014-04-13 15:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-13 4:26 Dave Taht
2014-04-13 7:51 ` Török Edwin
2014-04-13 15:04 ` Dave Taht [this message]
2014-04-13 10:05 ` Toke Høiland-Jørgensen
2014-04-13 14:57 ` Dave Taht
2014-04-13 17:59 ` Chuck Anderson
2014-04-13 23:24 ` Dave Taht
2014-04-14 9:29 ` Aaron Wood
2014-04-17 21:01 ` Simon Kelley
2014-04-17 21:19 ` Dave Taht
2014-04-20 14:01 ` Chuck Anderson
2014-04-20 15:16 ` Valdis.Kletnieks
2014-04-20 15:41 ` Chuck Anderson
2014-04-13 16:16 ` dpreed
2014-04-13 16:40 ` Dave Taht
2014-04-13 17:57 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw7TBE4XQr85k=PGneZ8bixZDeCu+S+jV=XPBvTKMmoQRg@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=edwin+ml-cerowrt@etorok.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox