[dns-operations] Best practices for Linux/UNIX stub resolver failover

Robert Edmonds edmonds at mycre.ws
Wed Apr 23 19:08:07 UTC 2014

Jonathan Stewart wrote:
> Robert Edmonds <edmonds at mycre.ws> wrote:
> > Chuck Anderson wrote:
> > > 2. Use a local DNS daemon on every server with forwarders configured
> > >    to the network's nameservers, and fix resolv.conf to
> >
> > I'll shamelessly admit that I do this on all my Debian systems, where
> > "apt-get install unbound resolvconf" results in exactly that
> > configuration.
> >
> Does this result in a DNSSEC-validating resolver, as well?

Yes, it does.  We ship a default config for Unbound that uses the
"auto-trust-anchor-file" mode for the root trust anchor.  You have to
specifically remove that from the config in order to disable DNSSEC

> If so, then Chuck's problem is actually a solved one, and his request (as
> mine would be) is that the Linux distributions make this default, so long
> as the setting of one or more recursive resolvers was easy.

Er, not really.  This config is just plain old DNSSEC validation, so you
(rightly) get no DNS resolution at all on networks where it is not
possible to perform DNSSEC validation (e.g., random wifi hotspots).  We
could not realistically enable this by default for all Debian
installations, not without additional components (e.g., dnssec-trigger)
to fix the hotspot problem.

> Of course, in an environment where DNS queries have not been restricted,
> this setup should run standalone, resolving DNS queries from the root.

No, by default resolvconf configures Unbound to forward lookups to the
DNS servers that the system has been configured to use.  (Either
statically assigned or learned via DHCP.)  If the sysadmin configures
the system to not use any upstream DNS servers then forwarding mode is
turned off and Unbound does full recursion.

Robert Edmonds

More information about the dns-operations mailing list