tags 562031 patch
thanks

On Mon, Feb 01, 2010 at 01:05:59PM +1300, martin f krafft wrote:
> also sprach Ondřej Surý <ond...@sury.org> [2010.01.07.0534 +1300]:
> > add '[ "X$RESOLVCONF" != "Xno" ] &&' here and set RESOLVCONF=yes
> > (or no) to /etc/default/unbound
> > 
> > I think, you don't have to cover all the cases, just the most
> > simple one.
> 
> I don't think this proposal is a good idea at all. First, unbound
> may not be running on 127.0.0.1/::1, and second, what you propose is

I agree with this objection. I have attached a better patch that
checks the config to make sure unbound is listening on localhost
before telling resolvconf that it is.

> a trivial change that the admin can make in /etc/network/interfaces.
> I don't think the package should do that, since it's
> a policy decision.

Hi Martin,

I understand your point of view and I hesitated myself before
disagreeing with you for the following reason:

DNSSEC is here or it is coming. With DNSSEC, you need a resolver
running on the local system to do the DNSSEC validation. (That's unless
the libc stub resolver grows the capability of doing DNSSEC validation
but I don't think that's a direction we should go in.) Sooner or later,
as applications begin to rely on validated DNS information, Debian and
other operating system distributions will have to ship default
configurations that allow this to happen. The admin cannot be expected
to make changes in /etc/network/interfaces in this case. It has to
work out of the box.

You want DNSSEC to work? Install a local resolver and it should just
work (it could be unbound or bind or another one). There are two things
that have to work if this is to be true:

1. The resolver has to make itself available to the system.

2. The resolver has to be told what upstream resolvers to use when it
makes queries. Well, actually that's not essential but we don't want
to have millions of end user PCs that all send queries directly to
the root and TLD servers just because the modern default installation
now comes with a local resolver.

The first is this bug. The second is bug #567879.

> I suggest instead to add a note to the README that unbound can be
> top-inserted as a resolver by adding
> 
>   iface lo inet loopback
>     …
>     dns-nameservers ::1

I'm uncomfortable with that solution because we can do better.
That tells the system to always use ::1. By instead invoking resolvconf
at the proper time we can tell the system to use ::1 only when unbound
is running.

-Phil



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to