[Cerowrt-devel] Full blown DNSSEC by default?

Dave Taht dave.taht at gmail.com
Sun Apr 13 19:24:12 EDT 2014


On Sun, Apr 13, 2014 at 10:59 AM, Chuck Anderson <cra at wpi.edu> wrote:
> On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:
>>
>> > Is there a "D"?
>>
>> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
>
> How do these proposals compare with unbound+dnssec-trigger in the
> Fedora world?  I stirred up a rats nest:
>
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html

Oh, did you! I'm reluctant to join that enormous thread, but there
have been couple things stated that aren't quite correct.

0) I agree that dnsmasq needs to be tested a lot more before it's
dnssec implementation can be as trusted as much as unbound's or
bind's.

1) dnsmasq is used by ubuntu by default (at least), and it's at least
semi-integrated with network manager in that case over the dbus.

So far as I know the caching functionality in dnsmasq in that instance
is disabled due to fears about cache poisoning, that I don't fully
understand. My half understood fear translates into equivalent fears
for other local dns daemons.

2) Benchmarks like namebench can show the value of the local cache,
shaving milliseconds off of local queries across the network.

I have generally had servers have their own bind daemon for about 16
years - it helps, especially if you like to do reverse lookups.

3) I heartily approve of alternate dns servers like unbound or bind
being used by various distros of choice - a monoculture is not what is
needed here! Support and integration into NM for all of them would be
great.

4) dnsmasq is now fully capable of obsoleting resolv.conf.auto cleverly
and dealing with at least some vagaries of vpns.

> I realize these are slightly different use cases, but it may be
> helpful to learn from the different implementations, if for no other
> reason than to be sure they interoperate.  I'm going to turn on
> unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> turned on to see what happens...

I was unaware of the dnssec-trigger stuff, which makes sense
especially on mobiles transiting captive-portal environments.

I would also like openwrt's captive portal stuff to work better.

I was also unaware of unbound's clever suspend resume support
for clearing the local cache.

> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article



More information about the Cerowrt-devel mailing list