[Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release

Mon Aug 20 16:23:01 EDT 2012

Thank You for the response.

There may be benefit to a common UI configuration layer for DNS in the
router
that has a checkbox for [ ] DNSSEC - that transparently swaps out the DNS
Server
for the end user - and could deliver the best of both worlds today.

Most of the DNS Configuration Options in the UI could be abstracted out to
write
the correct configuration files for the DNS solution of your choice, and we
could
remove the integration detail to scripts that process the UI settings and
control
the appropriate Start / Stop Scripts.

It would take a small piece of MiddleWare called by the UI that can take
**any**
plugin solution that could be put into the Apps Package List

This basic design principal might be useful in other areas of the router UI
as
well, since there are probably a lot of "Swap This For That" options that
will
be useful over the long term.

That probably deserves more thought.

G.

On Mon, Aug 20, 2012 at 4:14 PM, Evan Hunt <ethanol at gmail.com> wrote:

> > *** the following is mean to be an "opinion for discussion - not
> intended to
> > cause friction.'  ***
>
> Same here.  I have parental affection for BIND, but if something else
> does a better job of making the internet better, then something else
> ought to win.
>
> > It is my opinion that - BIND9 should not be the only default install
> option,
> > and there should probably be an either or choice DNS Security / or
> > (Memory + Processor + Name Resolution Speed).
> >
> > I would agree that there is value in DNSSEC - for people who want it, but
> > I believe that it should be optional due to the substantial performance
> > penalty that comes from the combination of extra cpu and memory to run
> > BIND9 - for those who do not expect DNSSEC, or see value in it.
> >
> > 3 years from now when the demand for DNSSEC may be higher -
> > routers will have substantially more compute and memory, but today
> > both of those are critical components in the overall solution.
>
> I sort of agree and sort of don't.  If I'm designing for the
> commonplace CPE of 2012, yeah, I'm probably not going to want BIND.
> But I hope for cerowrt to blaze the trails people will be following
> three years from now.  By then, not only will we have beefier routers
> to run name servers on, but there'll probably be more choices of name
> servers that support the necessary feature set.  Taking the memory hit
> to run BIND now lets us learn lessons about how to deal with
> home-network naming in a DNSSEC-enabled world while the stakes are
> still relatively low.
>
> I like your idea of having multiple options and making the tradeoffs
> explicit though.
>
> Evan
>

-- 
P THINK BEFORE PRINTING: is it really necessary?

This e-mail and its attachments are confidential and solely for the
intended addressee(s). Do not share or use them without approval. If
received in error, contact the sender
and delete them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20120820/667126b2/attachment-0002.html>