[sf-lug] DNSSEC, systemd, ...
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Wed Jan 9 22:01:56 PST 2019
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] Wi-Fi woes
> Date: Wed, 9 Jan 2019 15:35:10 -0800
> Yeah, sf-lug at linuxmafia.com had a very recent thread about how
> systemd-resolved is a piece of junk that breaks ln an important DNSSEC
> function.
>
> Me, I'd turn the thing off. As I said then.
Yeah DNSSEC! DNSSEC good*, things that break it bad.
So, we have stuff like systemd, ... not that it doesn't
have *some* arguments/merits, but an awful lot of systemd is mostly a whole
lot 'o reinventing the wheel ... poorly. Or:
"Those who fail to learn from history are doomed to repeat it."
So ... systemd tends to break all kinds of things, in many various
ways. And thank goodness the Debian folks rather nicely pulled
systemd well apart and also offer choices - many other init
systems to pick from, ... or one can go with a relatively minimal
systemd init system, and not pull in all the other bloat of
systemd-we-will-be-your-one-thing-to-rule-them-all-huge-bloatware-of-everything-poorly-reimplemented-software-behemoth-thingy-of-course-running-as-all-powerful-root-trust-us-we-will-never-mess-up-good-luck-with-that-and-if-you-believe-that-...
*And it's not like DNSSEC is being forced down your throat,
if you don't want to use it or look at it, or want to ignore it,
fine ... and for the most part you won't even notice any differences,
unless you're paying reasonably close attention.
DNS is such critical infrastructure/service, that RFC standards
around it are done highly carefully, and with much review and testing,
to *not* break things or backwards compatibility. In general, everyone
doing things "the right way" (per the specified standards) - things continue
to work ... and if you also implement the standards that extend that, then
hey, great, you get those benefits/features/capabilities too - if you're
still stickin' with the old - fine - that all still works too.
And, whenever you're ready for it, DNSSEC helps solve a significant
security issue that's been around since the dawn of DNS. DNSSEC isn't
the only relevant "solution" or useful piece thereof, but there
are many that help solve that issue - notably authentication/integrity
of data - in the case of DNSSEC, the DNS data. Without DNSSEC,
if DNS data is tampered with on-the wire, that may be essentially
undetectable, and one may - or may not - have other means to, at
least selectively - detect such issues. With DNSSEC, at least
where it's properly used, DNSSEC secured DNS data effectively won't
be compromised (altered data will fail the SEC checks, and be rejected
and the rejected DNS data not used)).
If you really dig into DNS history and the RFC standards thereof, it's
a pretty amazing engineering history - continuing to improve and extend,
while retaining backwards compatibility with earlier standard capabilities
and features. Very similar can be said of IP, TCP, UDP, addition of
IPv6 (yeah, sf-lug.org, sf-lug.com, & balug.com all also quite fully
support IPv6), etc.
And, how many of 'yall know that sf-lug.org, sf-lug.com, and
balug.com have been using DNSSEC for *years* now. :-)
And how 'many 'o 'yall (or *anybody*) has had *any* DNSSEC or
DNSSEC caused or related issues with *any* of those domains?
I'll tell you how many - none 'o y'all and nobody, because there
have not been and there are no issues. So, you can continue right
along using them fine as if nothing changed, and pretend DNSSEC doesn't
exist if you wish ... or fully adopt/use it at your earliest convenience,
or anything between ... or you might even already be using it and not
even know it (many clients and resolvers are increasingly supporting,
and increasingly by default using, DNSSEC).
More information about the sf-lug
mailing list