Bug 1112310

Summary: when all fallbacks fail, dnssec-trigger blindly configures full recursion
Product: [Fedora] Fedora Reporter: Pavel Šimerda (pavlix) <psimerda>
Component: dnssec-triggerAssignee: Pavel Šimerda (pavlix) <psimerda>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: psimerda, pwouters, thozza, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-23 08:38:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Šimerda (pavlix) 2014-06-23 14:45:08 UTC 
When all fallbacks fail (which they always do due to bug #1109292), dnssec-triggerd configures unbound to use full recursion (which will be often blocked) without checking whether the full recursion is working or not.

The result is a user without DNS resolution but also without any information suggesting why that happens and how to at least get connectivity not secured by DNSSEC, which may well be the only way to access internet resources.
Comment 1 Pavel Šimerda (pavlix) 2014-09-23 08:38:18 UTC 
We talked about this and the conclusion is that full recursion is currently considered a good way to offload the infrastructure servers, so it's not only set up when fallbacks don't work, but it's even attempted first.