From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.etorok.net (mail.etorok.net [IPv6:2a01:4f8:160:1223::beef:2]) by huchra.bufferbloat.net (Postfix) with ESMTP id 0AF7D208AB0 for ; Fri, 17 Aug 2012 13:13:15 -0700 (PDT) Received: from [IPv6:2a02:2f02:1022:727d:1e6f:65ff:fe23:db0d] (unknown [IPv6:2a02:2f02:1022:727d:1e6f:65ff:fe23:db0d]) by mail.etorok.net (Postfix) with ESMTPSA id 0209746A8; Fri, 17 Aug 2012 22:13:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=etorok.net; s=MAILOUT; t=1345234394; bh=FBZaDT6mx+YkPz7sclAm+vVPTCH4kuPRlrjWspqRodM=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=FAV3f+bKFqJ0cy9XID4QaYeCSA0JQwVoBr8VvdYDckQGv71cB+nE/PpiHbzT6+tbL 7S3vHHZ5u8LJtLMeufX8WKdZr2GS0LDGtPQwqkRfyhj1/F4xmOAn+2mQa0lMQ51kAz pDDCucfqpJ3zD+jWZ5+9krdpqdmDETtLvVnZVwJw= Message-ID: <502EA5D9.3000202@etorok.net> Date: Fri, 17 Aug 2012 23:13:13 +0300 From: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6 MIME-Version: 1.0 To: Dave Taht References: <502E064C.50305@etorok.net> <502E9609.5040800@etorok.net> In-Reply-To: Content-Type: multipart/mixed; boundary="------------020006010309030507060705" X-Virus-Scanned: clamav-milter 0.97.5 at mail X-Virus-Status: Clean Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements, some issues with bind X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 20:13:16 -0000 This is a multi-part message in MIME format. --------------020006010309030507060705 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit On 08/17/2012 10:52 PM, Dave Taht wrote: > On Fri, Aug 17, 2012 at 12:05 PM, Török Edwin >> I was using unbound on openwrt for dnssec before and I haven't noticed this problem. > > How is that on memory and configurability? It was quite easy to configure, and I didn't need to touch it since the initial setup. I think I just followed the instructions for Debian: http://wiki.debian.org/DNSSEC#Unbound I've attached my unbound.conf here if you want to see what it knows. According to the config file it should use a 4M cache by default. I didn't measure memory usage, or do any other benchmark to compare it against bind. > >> However I had some .ro time servers configured, and apparently they use quite a wide range >> for their RRSIG, so maybe I was just lucky not to hit a situation where both .ro and .org would fail to validate. >> RRSIG NS 5 2 7200 20120819122953 20120720122953.... >> RRSIG NSEC 8 1 86400 20120824000000 20120816230000 ... >> >> While the .org RRSIG has quite a recent timestamp: >> org. 900 IN RRSIG SOA 7 1 900 20120907184119 20120817174119 >> >> Added the .ro timeservers to cerowrt now, and will see if the problem occurs again. > > You were lucky, and it will. openwrt/cerowrt can periodically write > the current time to flash, but not often enough for dnssec on a fresh > boot, and more often would be mildly bad on flash wear. > > I wasn't aware however that some timeservers were available that [this sentence seems to have been cut off] > >>>> Another minor issue is that p910nd and luci-app-p910nd were not available via opkg install, but I found them on openwrt.org, so that works now. Best regards, --Edwin --------------020006010309030507060705 Content-Type: text/plain; name="unbound.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="unbound.conf" server: verbosity: 1 interface: ::0 interface: 0.0.0.0 # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". rrset-cache-size: 4m # the number of slabs to use for the RRset cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. rrset-cache-slabs: 2 # control which clients are allowed to make (recursive) queries # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow access-control: 0.0.0.0/0 allow access-control: ::0/0 allow # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". # If you give "" no privileges are dropped. # username: "unbound" username: "" # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. directory: "/etc/unbound" # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound.pid" # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache root-hints: "named.cache" # Root zone trust anchor key # Will be autoupdated by unbound in case of key change auto-trust-anchor-file: "root.autokey" # If you want to also do DLV validation (RFC5074), # download http://ftp.isc.org/www/dlv/dlv.isc.org.key # and uncomment following line: #dlv-anchor-file: "dlv.isc.org.key" # You can also do ITAR validation (https://itar.iana.org) # To download and update anchors.mf file, use update-itar.sh # from page http://www.unbound.net/documentation/howto_itar.html #trust-anchor-file: "anchors.mf" # If you want to forward requests to another recursive DNS server # uncomment this. Please note that many DNS recursors do strip # DNSSEC data, rendering unbound server unusable. # forward-zone: # name: "." # forward-addr: 8.8.8.8 # forward-addr: 8.8.4.4 --------------020006010309030507060705--