Re: [dane] An AD bit discussion (correction)

Viktor Dukhovni <> Thu, 27 February 2014 23:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 674991A02C4 for <>; Thu, 27 Feb 2014 15:09:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DwHkoYlrb7_a for <>; Thu, 27 Feb 2014 15:09:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 763C91A015E for <>; Thu, 27 Feb 2014 15:09:25 -0800 (PST)
Received: by (Postfix, from userid 1034) id 25DBF2AAC73; Thu, 27 Feb 2014 23:09:22 +0000 (UTC)
Date: Thu, 27 Feb 2014 23:09:22 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] An AD bit discussion (correction)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Feb 2014 23:09:27 -0000

On Thu, Feb 27, 2014 at 05:49:54PM -0500, Paul Wouters wrote:

> >I want the AD bit to be more than blind faith.
> - Make unbound part of every install
> - Modify Anaconda/kickstart to take user's static DNS input and store
>   it somewhere (e.g. /etc/sysconfig/unbound or something)
>   and put in resolv.conf
> - Modify unbound systemd service to run unbound-control forward_add
>   . <DNS info from sysconfig> in ExecStartPost=
> - Modify NM to run unbound-control forward_add . <DNS info from dhcp>
>   instead of modifying resolv.conf
> no crypto library and no glibc modifications needed.

I agree, but one of the more vocal Postfix users does not.  Perhaps
we can ignore him as an unrepresentative zealot.  Objectively, I
see no reason to say no to a local validating cache.

If RedHat can standardize on a local validating cache on every
machine, that *is* better than hacking the AD bit, provided you
can ignore the zealots who insist that with a few LAN-local caches,
adding local caches on each machine is somehow bad.

My point that with virtual machines context switching to a different
VM is likely much more expensive than context switching to a local
process did not make much of an impression.

So *if* there is a local resolver and it is the only one used,
great!  No need to disable the AD bit.  If there is not, perhaps
"failing safe" is sensible.

It may be enough to design systems that default to local resolvers,
and users who change that are free to shoot themselves in both feet.