Bug 1112310 - when all fallbacks fail, dnssec-trigger blindly configures full recursion
Summary: when all fallbacks fail, dnssec-trigger blindly configures full recursion
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-trigger
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-06-23 14:45 UTC by Pavel Šimerda (pavlix)
Modified: 2014-09-23 08:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-09-23 08:38:18 UTC
Type: Bug

Attachments (Terms of Use)

Description Pavel Šimerda (pavlix) 2014-06-23 14:45:08 UTC
When all fallbacks fail (which they always do due to bug #1109292), dnssec-triggerd configures unbound to use full recursion (which will be often blocked) without checking whether the full recursion is working or not.

The result is a user without DNS resolution but also without any information suggesting why that happens and how to at least get connectivity not secured by DNSSEC, which may well be the only way to access internet resources.

Comment 1 Pavel Šimerda (pavlix) 2014-09-23 08:38:18 UTC
We talked about this and the conclusion is that full recursion is currently considered a good way to offload the infrastructure servers, so it's not only set up when fallbacks don't work, but it's even attempted first.

Note You need to log in before you can comment on or make changes to this bug.