From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by huchra.bufferbloat.net (Postfix) with ESMTP id CA5B021F181 for ; Sun, 20 Apr 2014 07:01:47 -0700 (PDT) Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by MAIL1.WPI.EDU (8.14.8/8.14.8) with ESMTP id s3KE1lqe008999 for ; Sun, 20 Apr 2014 10:01:47 -0400 X-DKIM: Sendmail DKIM Filter v2.8.3 MAIL1.WPI.EDU s3KE1lqe008999 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wpi.edu; s=_dkim; t=1398002507; bh=idmgV2S+E29hkm5GMJsQEzTwx5QoVi9rqOgty7EoP/g=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Transfer-Encoding:In-Reply-To; b=xsR82sk3m/MDqU9QLAP7iA2p7JFnxTJwZfBD5XrmIwUhQkwiiXgr/H5uKCtQH5HAW Ky4NHeCRmjghzMsAzuKLCzY712vKgQ7yawB7CP35NL9/e5cG42LKzCDt4JCgszEAWK MqiVERMHpILiljhMaBfBPP1BKPtLhfyfipQhmfDs= Received: from MX3.WPI.EDU (mx3.wpi.edu [130.215.36.147]) by MAIL1.WPI.EDU (8.14.8/8.14.8) with ESMTP id s3KE1l0v008996 for ; Sun, 20 Apr 2014 10:01:47 -0400 Received: from angus.ind.WPI.EDU (ANGUS.IND.WPI.EDU [130.215.130.21]) by MX3.WPI.EDU (8.14.4/8.14.4) with ESMTP id s3KE1ksg011002 for ; Sun, 20 Apr 2014 10:01:46 -0400 (envelope-from cra@WPI.EDU) Received: from angus.ind.WPI.EDU (localhost [127.0.0.1]) by angus.ind.WPI.EDU (8.14.4/8.14.4) with ESMTP id s3KE1jtc017515 for ; Sun, 20 Apr 2014 10:01:45 -0400 Received: (from cra@localhost) by angus.ind.WPI.EDU (8.14.4/8.14.4/Submit) id s3KE1jYG017514 for cerowrt-devel@lists.bufferbloat.net; Sun, 20 Apr 2014 10:01:45 -0400 X-Authentication-Warning: angus.ind.WPI.EDU: cra set sender to cra@WPI.EDU using -f Date: Sun, 20 Apr 2014 10:01:45 -0400 From: Chuck Anderson To: cerowrt-devel@lists.bufferbloat.net Message-ID: <20140420140144.GZ16334@angus.ind.WPI.EDU> Mail-Followup-To: cerowrt-devel@lists.bufferbloat.net References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20140413175940.GP16334@angus.ind.WPI.EDU> User-Agent: Mutt/1.5.20 (2009-12-10) Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 14:01:48 -0000 On Sun, Apr 13, 2014 at 01:59:41PM -0400, Chuck Anderson wrote: > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote: > > > > > Is there a "D"? > > > > Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq). > > How do these proposals compare with unbound+dnssec-trigger in the > Fedora world? I stirred up a rats nest: > > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html > > I realize these are slightly different use cases, but it may be > helpful to learn from the different implementations, if for no other > reason than to be sure they interoperate. I'm going to turn on > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC > turned on to see what happens... The first effect of using a client-side DNSSEC validator is that gw.home.lan doesn't work: Apr 20 00:12:32 a unbound[1885]: [1885:1] info: validation failure : no NSEC3 records from 172.30.42.65 for DS lan. while building chain of trust To make this work, you have to tell unbound that home.lan is an insecure domain: unbound-control insecure_add home.lan.