[Cerowrt-devel] Full blown DNSSEC by default?
Chuck Anderson
cra at WPI.EDU
Sun Apr 20 10:01:45 EDT 2014
On Sun, Apr 13, 2014 at 01:59:41PM -0400, Chuck Anderson wrote:
> On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:
> >
> > > Is there a "D"?
> >
> > Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
>
> How do these proposals compare with unbound+dnssec-trigger in the
> Fedora world? I stirred up a rats nest:
>
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
>
> I realize these are slightly different use cases, but it may be
> helpful to learn from the different implementations, if for no other
> reason than to be sure they interoperate. I'm going to turn on
> unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> turned on to see what happens...
The first effect of using a client-side DNSSEC validator is that
gw.home.lan doesn't work:
Apr 20 00:12:32 a unbound[1885]: [1885:1] info: validation failure <gw.home.lan. A IN>: no NSEC3 records from 172.30.42.65 for DS lan. while building chain of trust
To make this work, you have to tell unbound that home.lan is an
insecure domain:
unbound-control insecure_add home.lan.
More information about the Cerowrt-devel
mailing list