Re: [dane] An AD bit discussion (correction)

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Thu, Feb 27, 2014 at 05:49:54PM -0500, Paul Wouters wrote:

> >I want the AD bit to be more than blind faith.
> 
> - Make unbound part of every install
>
> - Modify Anaconda/kickstart to take user's static DNS input and store
>   it somewhere (e.g. /etc/sysconfig/unbound or something)
>   and put 127.0.0.1 in resolv.conf
>
> - Modify unbound systemd service to run unbound-control forward_add
>   . <DNS info from sysconfig> in ExecStartPost=
>
> - Modify NM to run unbound-control forward_add . <DNS info from dhcp>
>   instead of modifying resolv.conf
> 
> no crypto library and no glibc modifications needed.

I agree, but one of the more vocal Postfix users does not.  Perhaps
we can ignore him as an unrepresentative zealot.  Objectively, I
see no reason to say no to a local validating cache.

If RedHat can standardize on a local validating cache on every
machine, that *is* better than hacking the AD bit, provided you
can ignore the zealots who insist that with a few LAN-local caches,
adding local caches on each machine is somehow bad.

My point that with virtual machines context switching to a different
VM is likely much more expensive than context switching to a local
process did not make much of an impression.

So *if* there is a local resolver and it is the only one used,
great!  No need to disable the AD bit.  If there is not, perhaps
"failing safe" is sensible.

It may be enough to design systems that default to local resolvers,
and users who change that are free to shoot themselves in both feet.

-- 
	Viktor.