1112310 – when all fallbacks fail, dnssec-trigger blindly configures full recursion

Bug 1112310 - when all fallbacks fail, dnssec-trigger blindly configures full recursion

Summary: when all fallbacks fail, dnssec-trigger blindly configures full recursion

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnssec-trigger
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Pavel Šimerda (pavlix)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-23 14:45 UTC by Pavel Šimerda (pavlix)
Modified:	2014-09-23 08:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-09-23 08:38:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pavel Šimerda (pavlix) 2014-06-23 14:45:08 UTC

When all fallbacks fail (which they always do due to bug #1109292), dnssec-triggerd configures unbound to use full recursion (which will be often blocked) without checking whether the full recursion is working or not.

The result is a user without DNS resolution but also without any information suggesting why that happens and how to at least get connectivity not secured by DNSSEC, which may well be the only way to access internet resources.

Comment 1 Pavel Šimerda (pavlix) 2014-09-23 08:38:18 UTC

We talked about this and the conclusion is that full recursion is currently considered a good way to offload the infrastructure servers, so it's not only set up when fallbacks don't work, but it's even attempted first.

Note You need to log in before you can comment on or make changes to this bug.