[dns-operations] resolvers considered harmful

Paul Vixie paul at redbarn.org
Sat Oct 25 18:16:54 UTC 2014



> Stephane Bortzmeyer <mailto:bortzmeyer at nic.fr>
> Saturday, October 25, 2014 9:15 AM
> On Thu, Oct 23, 2014 at 10:36:37AM -0700,
> Paul Vixie <paul at redbarn.org> wrote
>
> I run Unbound on my laptop for many years, using ::1 as the only
> resolver. It works on most normal networks. As usual, hotel and
> airport networks are awful, necessiting a fallback. The best solution
> is to automatize the fallback with the excellent dnssec-trigger
> <http://www.nlnetlabs.nl/projects/dnssec-trigger/>.
>
i believe that this fallback scheme is the only way you, or drc, or
florian, is able to get useful work done in this configuration. when i
ran suse linux on my laptop, dhcp-client's nameservers went into an
"include file" for BIND9, in a configuration that said "forward last;".

i do not believe that we could recommend end-user RDNS without that, or
that we should ever do so with that.

-- 
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141025/833ed0af/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141025/833ed0af/attachment.jpg>


More information about the dns-operations mailing list