Quoting Alessandro Selli ([email protected]): > I followed the same logic when I listed 26 alternate public DNS servers to > choose from. I know it contradicts my own argument that the install program > should ask the fewest possible questions.
Before I follow you further down this rabbit hole, I'm curious: Are you still speaking about Devuan and its distro installer? Because my understanding is that Devuan is not currently aspiring to have 'zero questions asked' (your phrase) nor anything like the fewest possible interactions with the installing administrator for the default installation mode. I have been assuming we were impliedly talking about the default installation mode, not a non-default fully-automated mode nor a non-default expert installation mode, or anything else of that sort. I ask because your current posting meanders all over those things, which is confusing, because that wasn't the conversation I thought I was having, nor (I'm pretty sure) one I especially wish to (no offence intended). Seems to me, we could spend ages discussing all of those additional things, and, IMO, have little to show for it. So, regrettably I'll be disregarding at this time most of your post, as I cannot really see the connection to the discussion I _thought_ I was in. It's possible I am misunderstanding, in which case my regrets about that. > > I'm merely suggesting that if you're already offering a screen to > > input the IPs of recursive nameservers (and Devuan is), then a > > checkbox for a local recursive nameserver is a trivial addition with > > disproportionally large benefits. > > I agree, however IPs are input manually in the case the user elected > to do so (as in a manual interface configuration) or when automatic > interface configuration failed. Correct me if I'm mistaken: The default Devuan installer does promt the user for nameserver IPs if the user is electing to supply a fixed IP address for a network interface, right? That would be where I said a checkbox for '[ ] install and use a local recursive nameserver' would be a trivial addition with disproportionately large benefits. Although certainly a host on dynamic IP _can_ make effective use of a local recursive nameserver bound to localhost, I hadn't yet put specific thought into where in the installer, if at all, it would make sense to ask and to offer that enhancement. I don't currently have time to ponder those specifics, but certainly on some screen or other it would be perfectly feasible to offer that as a checklist item. Season to suit with '(Make sure you know what you're doing)' advisories if you honestly think this causes significant failure modes, which in my mere 35 years as a Unix admin have been nonexistent other than captive portals on some hotel wifi except in one or two client sites with such stiflingly severe border firewalling that damned near nothing could talk to outside. But we'll get to those latter situations, below. > > I don't mean to sound hostile, but _what_ administrative attention? > > I already stated that selecting forwarders might be required to let the DNS > server work in a given environment. In all the telco datacenters where I > operated internal nodes where not allowed to perform recursive queries on > their own. Thank you for clarifying that by 'a local recursive DNS server needs some administrative attention', you do not actually mean attention to the software at all. You mean situations where outbound access to port 53 on the outside Internet has been artificially blocked. This is not what most people mean when they say 'needs some administrative attention'. When you say 'selecting forwarders might be required', this describes a rare -- and somewhat contrived (IMO) -- example situation where a recursive nameserver has been, in essence, artificially forbidden from functioning as a normal recursive nameserver, except by handing off all outbound queries to a _different_ (corporate-blessed) recursive nameserver that has a gateway ACL permitting _it_ to open sockets to arbitrary outside port 53. Which situation is one where operating a recursive nameserver on the host being installed is pointless because there already is a local recursive nameserver. So, to sum, it turns out that your example of the claim that 'of course a local recursive DNS server too needs some administrative attention' turns out to be a situation where a local recursive DNS server doesn't make sense. Aha. I don't think we would reasonably say 'Of course a Web browser too needs some administrative attention' just because some networks don't permit outbound sockets to 80/tcp on outside servers without configuring the client Web software to send all outbound queries to a designated proxy IP. I mean, such situations do exist, but making that claim without explaining in the next sentence what specifically you mean would be playing disputation games rather than having a conversation. > [...] > > > Point is, the user can be offered a local recursive nameserver (I > > suggest Unbound on grounds of code quality and clean implementation) > > running and made _the_ nameserver bound to loopback and accessible from > > localhost only by default. This can and IMO should be presented as a > > simple thing. > > I cannot see how this layout can solve the problems peculiar networks > present to the regular, DNS-server free install program. You are just > shifting the issue from /etc/resolv.conf to /etc/bind/named.conf. Obviously, (1) I wouldn't (and didn't) suggest BIND9, and (2) a recursive nameserver indeed is not going to be able to function normally by default in networks that artificially prevent recursive nameservers from functioning normally. You see the latter as a problem. I do not -- for the same reason I don't see it as a problem for a Linux distro (generically; it doesn't matter for present discussion whether Devuan offers this or not) to be able to install and turn on an MTA just because some networks don't allow outbound access to 25/tcp except via corporate-specified gateway IPs. So, yay, you have a view; I don't share it because I think it's a bit silly. And the rest of your message amounts to more of that. Here's an idea: We're done. -- Cheers, "To me, it's a good idea to always carry two sacks of Rick Moen something, when you walk around. That way, if anybody [email protected] says 'Hey, can you give me a hand?', you can say 'Sorry, McQ! (4x80) got these sacks.'" -- Deep Thoughts by Jack Handy _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
