From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
Date: Sun, 13 Apr 2014 16:24:12 -0700 [thread overview]
Message-ID: <CAA93jw7FoNdn0baGhOHFz6XJ1aY1oXsnA+Srn4p7+xa_AOgv2Q@mail.gmail.com> (raw)
In-Reply-To: <20140413175940.GP16334@angus.ind.WPI.EDU>
On Sun, Apr 13, 2014 at 10:59 AM, Chuck Anderson <cra@wpi.edu> wrote:
> On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:
>>
>> > Is there a "D"?
>>
>> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
>
> How do these proposals compare with unbound+dnssec-trigger in the
> Fedora world? I stirred up a rats nest:
>
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
Oh, did you! I'm reluctant to join that enormous thread, but there
have been couple things stated that aren't quite correct.
0) I agree that dnsmasq needs to be tested a lot more before it's
dnssec implementation can be as trusted as much as unbound's or
bind's.
1) dnsmasq is used by ubuntu by default (at least), and it's at least
semi-integrated with network manager in that case over the dbus.
So far as I know the caching functionality in dnsmasq in that instance
is disabled due to fears about cache poisoning, that I don't fully
understand. My half understood fear translates into equivalent fears
for other local dns daemons.
2) Benchmarks like namebench can show the value of the local cache,
shaving milliseconds off of local queries across the network.
I have generally had servers have their own bind daemon for about 16
years - it helps, especially if you like to do reverse lookups.
3) I heartily approve of alternate dns servers like unbound or bind
being used by various distros of choice - a monoculture is not what is
needed here! Support and integration into NM for all of them would be
great.
4) dnsmasq is now fully capable of obsoleting resolv.conf.auto cleverly
and dealing with at least some vagaries of vpns.
> I realize these are slightly different use cases, but it may be
> helpful to learn from the different implementations, if for no other
> reason than to be sure they interoperate. I'm going to turn on
> unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> turned on to see what happens...
I was unaware of the dnssec-trigger stuff, which makes sense
especially on mobiles transiting captive-portal environments.
I would also like openwrt's captive portal stuff to work better.
I was also unaware of unbound's clever suspend resume support
for clearing the local cache.
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
next prev parent reply other threads:[~2014-04-13 23:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-13 4:26 Dave Taht
2014-04-13 7:51 ` Török Edwin
2014-04-13 15:04 ` Dave Taht
2014-04-13 10:05 ` Toke Høiland-Jørgensen
2014-04-13 14:57 ` Dave Taht
2014-04-13 17:59 ` Chuck Anderson
2014-04-13 23:24 ` Dave Taht [this message]
2014-04-14 9:29 ` Aaron Wood
2014-04-17 21:01 ` Simon Kelley
2014-04-17 21:19 ` Dave Taht
2014-04-20 14:01 ` Chuck Anderson
2014-04-20 15:16 ` Valdis.Kletnieks
2014-04-20 15:41 ` Chuck Anderson
2014-04-13 16:16 ` dpreed
2014-04-13 16:40 ` Dave Taht
2014-04-13 17:57 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw7FoNdn0baGhOHFz6XJ1aY1oXsnA+Srn4p7+xa_AOgv2Q@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox