Maintained by: NLnet Labs

[Unbound-users] combining python + 2 iterator modules

Paul Wouters
Thu Jan 22 18:10:42 CET 2015


On Thu, 22 Jan 2015, Petr Spacek wrote:

> 2) Query processing for cases where local servers do not support DNSSEC:
> - Do recursion and validation using external DNS servers.
> a) If result is SECURE -> return result.
> b) If result is provably INSECURE -> query local servers advertised by DHCP
> and return whatever they returned.

Is this really worth the effort and the risk? This is clearly not ideal
when at a coffeeshop. And as a concept, unexplainable to endusers.

> This algorithm covers DNS split-views with internal unsigned views pretty
> nicely as long as the fundamental assumption holds.

In my opinion, the way to do this is simply an option in Network Manager
that says "when on this network, trust and use the local DNS".

Simple. easy to explain to endusers. Easy to implement without python
modules. Does not change behaviour based on whether domains are DNSSEC
signed.

Paul