[Cerowrt-devel] thoughts toward improving cerowrt's DNS and DNSSEC in the next release

Michael Richardson mcr at sandelman.ca
Tue Aug 21 18:31:31 EDT 2012 

>>>>> "Dave" == Dave Taht <dave.taht at gmail.com> writes:
    Dave> The ongoing DNS issues bug me. For most uses these days I disable bind
    Dave> entirely, as the 12-20MB it uses up are better used for packets. I do
    Dave> use it on 3800s but not on 3700v2s.

Evan/Dave, I am not in a position to gather primary data, but how much
space does bind9 really need just to start with an empty cache?

I'd think that, at that point, how much memory is then allocated to the
cache can be controlled by some named.conf control?  It hasn't mattered
to me, so I've never looked it up... (and got no network, and tablet has
no bind(9)).

I think that we want to push the DNS servers that we get from DHCP into
bind's forwarders statement (which I think you agree with via
forwarders.conf comment, but I don't know if it's exactly equivalent to
forwarders {}).  
Let's leave the qualification of whether or not the servers do the right
thing to bind itself... the forwards {} stanza can have multiple items,
and bind will give up on them if they don't work, and talk to the root
name servers directly if none work. (Unless you have forwarders-only...)

Your NXDOMAIN concerns... is this about ISPs (like Rogers.com) that
helpfully lie and make up A records for things that do not exist?

I suggest that this determination be done separately (in another
module).  Someone else can solve that problem,  and withdraw things from
forwarders.conf as appropriate.

    Dave> 2) Going the the DNS roots with bind, is OK, but it is always faster,
    Dave> and more reliable to use the ISP provided DNS servers, if they

..if..if.. the biggest problem is not that it's faster, but that some
ISPs have services, e.g: "mail" which they do not document as FQDNs.

We (homenet-ish systems) need to have local DNS services, and have the
ability to query walled gardens, etc... 

    Dave> Given the amount of time, energy, and money (all 0) I personally have
    Dave> to deal with these issues, I'm mostly tempted to save on hair by
    Dave> making dnsmasq the default going forward, and write off bind for now.

I concur... "for now"
Maybe others with paid time can step up to make this happen.. (Evan?)

-- 
Michael Richardson
-at the cottage-



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20120821/9c79fc5f/attachment.sig>

More information about the Cerowrt-devel mailing list