tags 562031 patch thanks On Mon, Feb 01, 2010 at 01:05:59PM +1300, martin f krafft wrote: > also sprach Ondřej Surý <ond...@sury.org> [2010.01.07.0534 +1300]: > > add '[ "X$RESOLVCONF" != "Xno" ] &&' here and set RESOLVCONF=yes > > (or no) to /etc/default/unbound > > > > I think, you don't have to cover all the cases, just the most > > simple one. > > I don't think this proposal is a good idea at all. First, unbound > may not be running on 127.0.0.1/::1, and second, what you propose is
I agree with this objection. I have attached a better patch that checks the config to make sure unbound is listening on localhost before telling resolvconf that it is. > a trivial change that the admin can make in /etc/network/interfaces. > I don't think the package should do that, since it's > a policy decision. Hi Martin, I understand your point of view and I hesitated myself before disagreeing with you for the following reason: DNSSEC is here or it is coming. With DNSSEC, you need a resolver running on the local system to do the DNSSEC validation. (That's unless the libc stub resolver grows the capability of doing DNSSEC validation but I don't think that's a direction we should go in.) Sooner or later, as applications begin to rely on validated DNS information, Debian and other operating system distributions will have to ship default configurations that allow this to happen. The admin cannot be expected to make changes in /etc/network/interfaces in this case. It has to work out of the box. You want DNSSEC to work? Install a local resolver and it should just work (it could be unbound or bind or another one). There are two things that have to work if this is to be true: 1. The resolver has to make itself available to the system. 2. The resolver has to be told what upstream resolvers to use when it makes queries. Well, actually that's not essential but we don't want to have millions of end user PCs that all send queries directly to the root and TLD servers just because the modern default installation now comes with a local resolver. The first is this bug. The second is bug #567879. > I suggest instead to add a note to the README that unbound can be > top-inserted as a resolver by adding > > iface lo inet loopback > … > dns-nameservers ::1 I'm uncomfortable with that solution because we can do better. That tells the system to always use ::1. By instead invoking resolvconf at the proper time we can tell the system to use ::1 only when unbound is running. -Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
