On Fri, 11 Apr 2014, Bruno Wolff III wrote:
If you don't know there is an exception for a domain (eg at the other
end of a VPN) than you will get the public answers and might not get
where you need to go. Additionally, with DNSSEC there is the problem
that the public view cryptographically proves the internal view does not
exist (eg internal.fedoraproject.org)
With an iterative resolver that may not be true. If the route to the name
server that has that information is over the VPN (so that you have the
correct source address), you should get the right answer.
Sounds like putting RFC1918 addresses in public DNS? Eww. Also, unbound
strips those out unless they come in via forwarders. But also selecting
DNS servers does not relate to routing at all, so this is confusing to
me.
Indeed, with DNSSEC we can use them as cache, because we can validate
the answers. But those servers should never be "trusted".
That doesn't get you the right answers though, it only tells you that they
are lying.
I'm not sure what you are trying to say here.
Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
