[Cerowrt-devel] dnssec by default and other stories from the bleeding edge

[Dave Taht]

-1) The package repos have all moved on github... This will break everybody
building cerowrt themselves and get them to pay attention.

0) I'm having some trouble with default routes

1) The 3.10.28-12 non-release ahas dnssec enabled by default. (I think -
see /etc/dnsmasq.conf)

A concern of mine has long been that this is going to break in some scenarios,
notably with broken forwarders.

>From my perspective, having it on by default ensures it gets tested. IF you have
dns issues (notably with getting time or other queries), you can turn it off
by commenting it out in that file.

I also kind of expect bug #113 to recur... a hook to turn off dnssec at boot,
and turn it on after time is obtained might be useful. (openwrt ntp
supports a script to run after it starts, I think)

Otherwise, leave it on and enjoy the glory of ad-free NXDOMAIN results.

There is still no NSEC3 support, I am not sure how much that matters.

2) There are some other fixes pending to deal with source specific routing,
multiple providers, and multiple dns upstreams, which require tight
dnsmasq and netifd integration and the retirement of resolve.conf.auto.

3) the bcp38 code does not look like I'll get a chance to finish it
any time soon.
I have a proof of concept in github, and a start at a script in
ceropackages. Needed
is a hook to insert/delete firewall rules at the right time and sense
if the external
interface is double natted. (help wanted)

4) next up is to get a reproducable build, and fix package signing.

5) There are still a few instruction traps in 3.10.28-12 in odhcpd,
those were fixed
last night but haven't made it to openwrt yet.

6) I think wifi can be tuned up a bit to behave better under rrul.

Anything else I should care about?

progress!

-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html