From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3AD0F21F19B for ; Sun, 13 Apr 2014 16:24:14 -0700 (PDT) Received: by mail-wi0-f172.google.com with SMTP id hi2so3252657wib.17 for ; Sun, 13 Apr 2014 16:24:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=oZ24SC/xewpLRGNADrp+jZ4EHO7BLEN8TbcXc1U88Z0=; b=vQ7+glDxZgBjwn0HHwi7v9vmcrD4Eeghkei2THAmZNx6PX9tsHslI44sRnTvnClCuu zz/+ISZ6d2XfaFHncU7MAnPiJBGkKGPbpJ4SEyzSzSq00C4bkKhCMyMsQ5PA0wRDZEXM 5CbDnCFBFvxvmnPax7XA7cHEFx7qx8ZeHYnjP7mwsikPy5rYB64QP/lfzDlmjIXnUgIF 1acuSjyAmzczdI0tVuSIFh4r81kI0cNFf4coNjaogFWAZfbvoCTs+IGniw1cquJ8aU4k +ewcpMsQu0Oqdvslug9YSy82R96OHzyoFEe+OWSxvJF0NhF+QLjw4tnpvzYFD2U5ZGWN e8nw== MIME-Version: 1.0 X-Received: by 10.194.6.106 with SMTP id z10mr29744865wjz.1.1397431452103; Sun, 13 Apr 2014 16:24:12 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Sun, 13 Apr 2014 16:24:12 -0700 (PDT) In-Reply-To: <20140413175940.GP16334@angus.ind.WPI.EDU> References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> Date: Sun, 13 Apr 2014 16:24:12 -0700 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 23:24:17 -0000 On Sun, Apr 13, 2014 at 10:59 AM, Chuck Anderson wrote: > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke H=F8iland-J=F8rgensen wrot= e: >> >> > Is there a "D"? >> >> Running a full resolver in cerowrt? I've been running a dnssec-enabled b= ind for some time on my boxes (prior to dnssec support in dnsmasq). > > How do these proposals compare with unbound+dnssec-trigger in the > Fedora world? I stirred up a rats nest: > > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html Oh, did you! I'm reluctant to join that enormous thread, but there have been couple things stated that aren't quite correct. 0) I agree that dnsmasq needs to be tested a lot more before it's dnssec implementation can be as trusted as much as unbound's or bind's. 1) dnsmasq is used by ubuntu by default (at least), and it's at least semi-integrated with network manager in that case over the dbus. So far as I know the caching functionality in dnsmasq in that instance is disabled due to fears about cache poisoning, that I don't fully understand. My half understood fear translates into equivalent fears for other local dns daemons. 2) Benchmarks like namebench can show the value of the local cache, shaving milliseconds off of local queries across the network. I have generally had servers have their own bind daemon for about 16 years - it helps, especially if you like to do reverse lookups. 3) I heartily approve of alternate dns servers like unbound or bind being used by various distros of choice - a monoculture is not what is needed here! Support and integration into NM for all of them would be great. 4) dnsmasq is now fully capable of obsoleting resolv.conf.auto cleverly and dealing with at least some vagaries of vpns. > I realize these are slightly different use cases, but it may be > helpful to learn from the different implementations, if for no other > reason than to be sure they interoperate. I'm going to turn on > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC > turned on to see what happens... I was unaware of the dnssec-trigger stuff, which makes sense especially on mobiles transiting captive-portal environments. I would also like openwrt's captive portal stuff to work better. I was also unaware of unbound's clever suspend resume support for clearing the local cache. > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article