William Brown wrote:
> The cache is never fully flushed. It is only flushed for the
domain
> obtained via DHCP or VPN, because those entries can change. They are
> not changed for anything else. If the upstream ISP could have
> spoofed them, so be it - the publisher of the domains could have
> used DNSSEC to prevent that from happening.
No no no!!!! You need to flush *all* entries. Consider what I resolve
www.google.com to. That changes *per* ISP because google provides
different DNS endpoints and zones to ISPs to optimise traffic! So when
I use google at work, I'm now getting a suboptimal route to their
servers!
You'll still reach Google, but you'll get a suboptimal route for up to
five minutes – provided that you managed to go from home to work and
reconnect your laptop in less than five minutes. Big deal.
I just looked up
www.google.com to check, and I got a TTL of 300
seconds on both A and AAAA records.
> You need caching for DNSSEC validation, so really,
> every device needs a cache, unless you want to outsource your DNSSEC
> validation over an insecure transport (LAN). That seems like a very
> bad idea.
If your lan is insecure, you have other issues. That isn't the problem
you are trying to solve.
If admins want to set up firewalls, link-layer encryption, intrusion
detection and stuff in an attempt to keep all adversaries out of their
LAN, and then have the security of servers and workstations depend on
the guarantee that the LAN is secure, then they should have to
explicitly configure each computer to trust everybody on the LAN.
Fedora can *not* assume that it will only ever be connected to secure,
isolated networks.
A home user is likely to toy with things and set a
high-ish ttl, say even 10 minutes, and change records on their server.
Then their records appear broken, because the local cache isn't expired
yet.
The kind of user who runs their own DNS at home and tinkers with
settings like that, is the kind of person who will learn from the
experience and will thereafter know what DNS caching is.
Intermittent network issues for different people on a network? The
cache is allowing some people to work, but masking the issue to them.
It's not allowing people to quickly and effectively isolate issues.
You keep repeating this argument, as if it's somehow a bad thing that
people can continue to work even when the DNS servers have a temporary
problem. To me it sounds more like an argument for why the network
admins should disable the cache on their own workstations and leave it
enabled on everybody else's, so that the admins will be the first to
discover a problem – and that translates to an argument for having a
cache by default.
--
Björn Persson