Quoting Alessandro Selli (alessandroselli@???):

> I followed the same logic when I listed 26 alternate public DNS servers to
> choose from. I know it contradicts my own argument that the install program
> should ask the fewest possible questions.

Before I follow you further down this rabbit hole, I'm curious: Are
you still speaking about Devuan and its distro installer? Because my
understanding is that Devuan is not currently aspiring to have 'zero
questions asked' (your phrase) nor anything like the fewest possible
interactions with the installing administrator for the default
installation mode.

I have been assuming we were impliedly talking about the default
installation mode, not a non-default fully-automated mode nor a
non-default expert installation mode, or anything else of that sort.

I ask because your current posting meanders all over those things, which
is confusing, because that wasn't the conversation I thought I was
having, nor (I'm pretty sure) one I especially wish to (no offence
intended). Seems to me, we could spend ages discussing all of those
additional things, and, IMO, have little to show for it.

So, regrettably I'll be disregarding at this time most of your post, as
I cannot really see the connection to the discussion I _thought_ I
was in.

It's possible I am misunderstanding, in which case my regrets about
that.


> > I'm merely suggesting that if you're already offering a screen to
> > input the IPs of recursive nameservers (and Devuan is), then a
> > checkbox for a local recursive nameserver is a trivial addition with
> > disproportionally large benefits.
>
> I agree, however IPs are input manually in the case the user elected
> to do so (as in a manual interface configuration) or when automatic
> interface configuration failed.

Correct me if I'm mistaken: The default Devuan installer does promt the
user for nameserver IPs if the user is electing to supply a fixed IP
address for a network interface, right? That would be where I said a
checkbox for '[ ] install and use a local recursive nameserver' would
be a trivial addition with disproportionately large benefits.

Although certainly a host on dynamic IP _can_ make effective use of a
local recursive nameserver bound to localhost, I hadn't yet put
specific thought into where in the installer, if at all, it would
make sense to ask and to offer that enhancement.

I don't currently have time to ponder those specifics, but certainly
on some screen or other it would be perfectly feasible to offer that as
a checklist item. Season to suit with '(Make sure you know what you're
doing)' advisories if you honestly think this causes significant failure
modes, which in my mere 35 years as a Unix admin have been nonexistent
other than captive portals on some hotel wifi except in one or two
client sites with such stiflingly severe border firewalling that damned
near nothing could talk to outside. But we'll get to those latter
situations, below.


> > I don't mean to sound hostile, but _what_ administrative attention?
>
> I already stated that selecting forwarders might be required to let the DNS
> server work in a given environment. In all the telco datacenters where I
> operated internal nodes where not allowed to perform recursive queries on
> their own.

Thank you for clarifying that by 'a local recursive DNS server needs
some administrative attention', you do not actually mean attention to
the software at all. You mean situations where outbound access to port
53 on the outside Internet has been artificially blocked.

This is not what most people mean when they say 'needs some
administrative attention'.

When you say 'selecting forwarders might be required', this describes a
rare -- and somewhat contrived (IMO) -- example situation where a
recursive nameserver has been, in essence, artificially forbidden from
functioning as a normal recursive nameserver, except by handing off all
outbound queries to a _different_ (corporate-blessed) recursive
nameserver that has a gateway ACL permitting _it_ to open sockets to
arbitrary outside port 53. Which situation is one where operating
a recursive nameserver on the host being installed is pointless because
there already is a local recursive nameserver.

So, to sum, it turns out that your example of the claim that 'of course
a local recursive DNS server too needs some administrative attention'
turns out to be a situation where a local recursive DNS server doesn't
make sense.

Aha.

I don't think we would reasonably say 'Of course a Web browser too needs
some administrative attention' just because some networks don't permit
outbound sockets to 80/tcp on outside servers without configuring the
client Web software to send all outbound queries to a designated proxy
IP. I mean, such situations do exist, but making that claim without
explaining in the next sentence what specifically you mean would be
playing disputation games rather than having a conversation.



> [...]
>
> > Point is, the user can be offered a local recursive nameserver (I
> > suggest Unbound on grounds of code quality and clean implementation)
> > running and made _the_ nameserver bound to loopback and accessible from
> > localhost only by default. This can and IMO should be presented as a
> > simple thing.
>
> I cannot see how this layout can solve the problems peculiar networks
> present to the regular, DNS-server free install program. You are just
> shifting the issue from /etc/resolv.conf to /etc/bind/named.conf.

Obviously, (1) I wouldn't (and didn't) suggest BIND9, and (2) a
recursive nameserver indeed is not going to be able to function normally
by default in networks that artificially prevent recursive nameservers
from functioning normally.

You see the latter as a problem. I do not -- for the same reason I
don't see it as a problem for a Linux distro (generically; it doesn't
matter for present discussion whether Devuan offers this or not) to be
able to install and turn on an MTA just because some networks don't
allow outbound access to 25/tcp except via corporate-specified gateway
IPs.

So, yay, you have a view; I don't share it because I think it's a bit
silly. And the rest of your message amounts to more of that. Here's an
idea: We're done.

-- 
Cheers,              "To me, it's a good idea to always carry two sacks of 
Rick Moen            something, when you walk around.  That way, if anybody 
rick@???  says 'Hey, can you give me a hand?', you can say 'Sorry,
McQ! (4x80)          got these sacks.'"      -- Deep Thoughts by Jack Handy