From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8FAC221F1D7 for ; Sun, 20 Apr 2014 08:17:24 -0700 (PDT) Received: from mr1.cc.vt.edu (mr1.cc.vt.edu [198.82.141.12]) by lennier.cc.vt.edu (8.13.8/8.13.8) with ESMTP id s3KFGpIW003810; Sun, 20 Apr 2014 11:16:51 -0400 Received: from auth1.smtp.vt.edu (auth1.smtp.vt.edu [198.82.161.152] (may be forged)) by mr1.cc.vt.edu (8.14.4/8.14.4) with ESMTP id s3KFGkqn002794; Sun, 20 Apr 2014 11:16:51 -0400 Received: from turing-police.cc.vt.edu ([IPv6:2601:8:1f80:613:818b:27b2:7993:a203]) (authenticated bits=0) by auth1.smtp.vt.edu (8.14.4/8.14.4) with ESMTP id s3KFGj6S021697 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 20 Apr 2014 11:16:46 -0400 X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.5+dev To: Chuck Anderson In-Reply-To: Your message of "Sun, 20 Apr 2014 10:01:45 -0400." <20140420140144.GZ16334@angus.ind.WPI.EDU> From: Valdis.Kletnieks@vt.edu References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> <20140420140144.GZ16334@angus.ind.WPI.EDU> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1398007005_2032P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Sun, 20 Apr 2014 11:16:45 -0400 Message-ID: <157885.1398007005@turing-police.cc.vt.edu> X-Spam-Status: No, score=-0.7 required=5.0 tests=RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mr1.cc.vt.edu Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 15:17:24 -0000 --==_Exmh_1398007005_2032P Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable On Sun, 20 Apr 2014 10:01:45 -0400, Chuck Anderson said: > The first effect of using a client-side DNSSEC validator is that > gw.home.lan doesn't work: >=20 > Apr 20 00:12:32 a unbound=5B1885=5D: =5B1885:1=5D info: validation fail= ure : no NSEC3 records from 172.30.42.65 for DS lan. w= hile building chain of trust >=20 > To make this work, you have to tell unbound that home.lan is an > insecure domain: >=20 > unbound-control insecure_add home.lan. Ouch. This wouldn't be so bad, if there was some way to tell it to believe *your* instance of home.lan, but not trust the babbling of any other instance you might come across. What we *really* want to do with unbound= is this stuff in the unbound.conf file: trust-anchor-file: File with trusted keys for validation. Both DS and D= NSKEY entries can appear in the file. The format of the file is= the standard DNS Zone file format. Default is =22=22, or= no trust anchor file. auto-trust-anchor-file: File with trust anchor for one zone, which is tracked = with RFC5011 probes. The probes are several times per month,= thus the machine must be online frequently. The initial file ca= n be one with contents as described in trust-anchor-file. The= file is written to when the anchor is updated, so the unbound = user must have write permission. trust-anchor: <=22Resource Record=22> A DS or DNSKEY RR for a key to use for validation. Mul= tiple entries can be given to specify multiple trusted keys, in = addi=E2=80=90 tion to the trust-anchor-files. The resource record is en= tered in the same format as 'dig' or 'drill' prints them, the = same format as in the zone file. Has to be on a single line, wi= th =22=22 around it. A TTL can be specified for ease of cut and paste= , but is ignored. A class can be specified, but class IN is defa= ult. trusted-keys-file: File with trusted keys for validation. Specify more tha= n one file with several entries, one file per entry. = Like trust-anchor-file but has a different file format. Form= at is BIND-9 style format, the trusted-keys =7B name flag prot= o algo =22key=22; =7D; clauses are read. It is possible to us= e wildcards with this statement, the wildcard is expanded on start an= d on reload. Having said that, I admit not having in hand an easy way to feed unbound the needed info. Not sure if 'dig home.lan ds > trust-anchor-here' will = do it, as the unbound on my laptop isn't configured to talk to DNS learned v= ia DHCP, so home.lan doesn't resolve at all for me... --==_Exmh_1398007005_2032P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Exmh version 2.5 07/13/2001 iQIVAwUBU1Pk3QdmEQWDXROgAQLZFw/+MemqQ38tjFE+tk0HsCvwmkW+Jh5xhwlA m1HIh65HNmBsAKCf+rNhH/7kddil43u9AGImBWaeAsOfT4bv8CtWtTY3LNY2HNKn XlJw94yCat4wioW7iK8KDznSuyCJMdUjGWJDSnLAuXRxM96HVR6e27fXSOWxk26I cWQ7AFwFqv26dzo+vPh8ZxBzm3VLmKNX3BFT+OWDo1/opbRITjA+CE5JQ5C1zfLG tOmCInAkldD1a4GAX045toN+Ulwr1Y7YF/vAysvLo1y4Go4FFkCBzsU6Gv1iMy/c jdY48SvcqIushoNs6o4p742MBlcvOdRYg8DNXa/LKjlz5BtbspWqy7dY+//vdWI7 iOb9WNZYCQsnzQj+944TSiGf+BYxQ08Pj7YAoEQguJBtXQbBvVEaGr29nBaqDsJL IrEf10/iw58y3MuSyYByVlv7AsvCgRIqtqpL0nDZZKDIRLFmDxsJ7SDUWwIhwpGl tF0knpUEokrX02LMpD5KaCFxcyxaKSJGN18gK2EWiXpxiqyajgcNe4GgUcFRy+LF PB5xujJidhl/EgsvuXhyv+fRV3Ksatvj/4+u7zwCK1vPUnQOgeRGf1ZcWjwxXjqp ZfmG7ctAjp7y8Nrm7VygzhIMKivj9E3zJVht9vBqN6P3XQDX+pjLhAEz+wTZWHTc VQHzagB7B7c= =R4vj -----END PGP SIGNATURE----- --==_Exmh_1398007005_2032P--