On Thu, Jun 21, 2018 at 4:52 AM Joe Abley <jab...@hopcount.ca> wrote:
> On Jun 20, 2018, at 21:05, Shumon Huque <shu...@gmail.com> wrote: > > > On Wed, Jun 20, 2018 at 7:30 PM Joe Abley <jab...@hopcount.ca> wrote: > >> On Jun 20, 2018, at 19:07, Warren Kumari <war...@kumari.net> wrote: >> >> ... what I'd alway wanted[0] was to be able to setup my own recursive >> name server somewhere on the Internet, and then only allow myself (and a >> few of my closest friends) to be able to query it. >> >> For this particular use-case, why is SIG(0) better than TSIG? >> > > Either might be fine in these small user scenarios. > > > Yes, I know, hence the question. Warren usually has his reasons :-) > Yes, but these are often related to "because it amused me or seemed like a good idea at the time", and so it is always worth checking :-) I was wanting to be able to provide this on the order of 50 - 100 devices. This includes all my devices, including laptops, phones, tablets, travel routers, kindle, and all of my wife's devices (similar set), and my aunty Sue's devices. Ideally this would also be usable for something like a small enterprise (without having a full VPN). Managing TSIG keys for all those seems tricky. I don't actually think that TSIG would do what I want either -- technically it could, but I think that what is missing is the ability to easily configure keying information in /etc/resolv.conf (or other stub config). Ideally I'd like to add something to resolve.conf (or similar) saying: nameserver 192.0.2.53 key 0xbadc0ffee I think that 95% of the issue is on the stub side. Paul's https://github.com/BII-Lab/DNSoverHTTP and Stubby both come fairly close to solving this. The more I think about it, DPRIVE and DoH are driving towards what I want. > The follow-on question was why he needs this functionality in the stub > resolver rather than running a local copy of BIND9 (bound to localhost, > configured appropriately) and pointing his stub resolver at that. > A couple of reasons: 1: I'd like to be able to take advantage of a shared cache 2: I'd like to be able to use this for my {mac, androids, iPhone / iPads, linux laptops}, my wife's {mac, iPhone / iPads, linux laptops}, travel router, kindle, etc. Apart from the fact that I cannot run BIND / Unbound on many of these devices, keeping this many full nameservers watered and fed would be annoying. W > > > Joe > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop