On 08/17/2012 10:52 PM, Dave Taht wrote:
> On Fri, Aug 17, 2012 at 12:05 PM, Török Edwin

>> I was using unbound on openwrt for dnssec before and I haven't noticed this problem.
> 
> How is that on memory and configurability?

It was quite easy to configure, and I didn't need to touch it since the initial setup.
I think I just followed the instructions for Debian:
http://wiki.debian.org/DNSSEC#Unbound

I've attached my unbound.conf here if you want to see what it knows. According to the config file
it should use a 4M cache by default.
I didn't measure memory usage, or do any other benchmark to compare it against bind.

> 
>> However I had some .ro time servers configured, and apparently they use quite a wide range
>> for their RRSIG, so maybe I was just lucky not to hit a situation where both .ro and .org would fail to validate.
>> RRSIG   NS 5 2 7200 20120819122953 20120720122953....
>> RRSIG   NSEC 8 1 86400 20120824000000 20120816230000 ...
>>
>> While the .org RRSIG has quite a recent timestamp:
>> org.                    900     IN      RRSIG   SOA 7 1 900 20120907184119 20120817174119
>>
>> Added the .ro timeservers to cerowrt now, and will see if the problem occurs again.
> 
> You were lucky, and it will. openwrt/cerowrt can periodically write
> the current time to flash, but not often enough for dnssec on a fresh
> boot, and more often would be mildly bad on flash wear.
> 
> I wasn't aware however that some timeservers were available that

[this sentence seems to have been cut off]

> 
>>>> Another minor issue is that p910nd and luci-app-p910nd were not available via opkg install, but I found them on openwrt.org, so that works now.

Best regards,
--Edwin