On Thu, 22 Jan 2015, Petr Spacek wrote:
2) Query processing for cases where local servers do not support DNSSEC: - Do recursion and validation using external DNS servers. a) If result is SECURE -> return result. b) If result is provably INSECURE -> query local servers advertised by DHCP and return whatever they returned.
Is this really worth the effort and the risk? This is clearly not ideal when at a coffeeshop. And as a concept, unexplainable to endusers.
This algorithm covers DNS split-views with internal unsigned views pretty nicely as long as the fundamental assumption holds.
In my opinion, the way to do this is simply an option in Network Manager that says "when on this network, trust and use the local DNS". Simple. easy to explain to endusers. Easy to implement without python modules. Does not change behaviour based on whether domains are DNSSEC signed. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
