[Cerowrt-devel] Full blown DNSSEC by default?

Chuck Anderson cra at WPI.EDU
Sun Apr 20 10:01:45 EDT 2014


On Sun, Apr 13, 2014 at 01:59:41PM -0400, Chuck Anderson wrote:
> On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:
> > 
> > > Is there a "D"?
> > 
> > Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
> 
> How do these proposals compare with unbound+dnssec-trigger in the
> Fedora world?  I stirred up a rats nest:
> 
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
> 
> I realize these are slightly different use cases, but it may be
> helpful to learn from the different implementations, if for no other
> reason than to be sure they interoperate.  I'm going to turn on
> unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> turned on to see what happens...

The first effect of using a client-side DNSSEC validator is that
gw.home.lan doesn't work:

Apr 20 00:12:32 a unbound[1885]: [1885:1] info: validation failure <gw.home.lan. A IN>: no NSEC3 records from 172.30.42.65 for DS lan. while building chain of trust

To make this work, you have to tell unbound that home.lan is an
insecure domain:

unbound-control insecure_add home.lan.



More information about the Cerowrt-devel mailing list