From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 52DE021F19B for ; Sun, 13 Apr 2014 07:57:21 -0700 (PDT) Received: by mail-wg0-f52.google.com with SMTP id k14so7138159wgh.23 for ; Sun, 13 Apr 2014 07:57:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=cLBLlO6kHT796zNzW3FTNgnqIJvl5C6GvVt47Bc/Bfw=; b=p8purMFD4R59IrUfKUCD10FUcccA1taQZDQZ7qM/7X7sxLlLk1QTFfKbbmNak87wG5 2YQyXiG6zTkildRBkx+EnGWcdxCtIUYOIe4xHHqLOoJR44G0jwKsfqR4KTAcSXXT2QDE MPRvPTCMWdyTkc4DOXwKg8eIcmYNaeHyacEtIbWmG6ZEbdnh0lGjWo58nQVh/GS26bhX YdPfy6xz9bkkkKni9v0f72X3Fxk6+NpM5kDiNBEV8Mg27kIZTE0W2NgBAO04JDqwTPb3 cBQoG8L6WRCaQjchA/LsH9L5JdahkV2ySOG3JseTU0dQcDkNDs4AgIo62IymhFXc2PTL E3wA== MIME-Version: 1.0 X-Received: by 10.180.76.244 with SMTP id n20mr6043146wiw.17.1397401039141; Sun, 13 Apr 2014 07:57:19 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Sun, 13 Apr 2014 07:57:18 -0700 (PDT) In-Reply-To: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> Date: Sun, 13 Apr 2014 07:57:18 -0700 Message-ID: From: Dave Taht To: =?ISO-8859-1?Q?Toke_H=F8iland=2DJ=F8rgensen?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 14:57:21 -0000 On Sun, Apr 13, 2014 at 3:05 AM, Toke H=F8iland-J=F8rgensen = wrote: > >> Is there a "D"? > > Running a full resolver in cerowrt? I've been running a dnssec-enabled bi= nd for some time on my boxes (prior to dnssec support in dnsmasq). I had done quite a few optimizations to make running a full blown bind9 resolver at home pretty performant (caching the roots, for example). I also liked being able to do full split dns, etc. But: I got fed up with doing bind for a variety of reasons: A) 4 CERT alerts in a year, including a couple nasty ones B) Too hard to configure even for a wizard C) Too hard to configure via a web interface D) People blocking the roots E) Would run out of flash easily with the jnl file So I pursued finding something (e.g. dnsmasq) that was smaller, more integrated, easier to configure, and easy on ram and flash. so that's dnsmasq today. It seems more plausible to continue to improve dnsmasq than it is to dumb down bind. I do not mind continuing to support and improve optional bind and unbound support for those that want to use them. > -Toke > > --=20 Dave T=E4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article