On Sun, Apr 13, 2014 at 10:59 AM, Chuck Anderson <[email protected]> wrote: > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote: >> >> > Is there a "D"? >> >> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind >> for some time on my boxes (prior to dnssec support in dnsmasq). > > How do these proposals compare with unbound+dnssec-trigger in the > Fedora world? I stirred up a rats nest: > > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
Oh, did you! I'm reluctant to join that enormous thread, but there have been couple things stated that aren't quite correct. 0) I agree that dnsmasq needs to be tested a lot more before it's dnssec implementation can be as trusted as much as unbound's or bind's. 1) dnsmasq is used by ubuntu by default (at least), and it's at least semi-integrated with network manager in that case over the dbus. So far as I know the caching functionality in dnsmasq in that instance is disabled due to fears about cache poisoning, that I don't fully understand. My half understood fear translates into equivalent fears for other local dns daemons. 2) Benchmarks like namebench can show the value of the local cache, shaving milliseconds off of local queries across the network. I have generally had servers have their own bind daemon for about 16 years - it helps, especially if you like to do reverse lookups. 3) I heartily approve of alternate dns servers like unbound or bind being used by various distros of choice - a monoculture is not what is needed here! Support and integration into NM for all of them would be great. 4) dnsmasq is now fully capable of obsoleting resolv.conf.auto cleverly and dealing with at least some vagaries of vpns. > I realize these are slightly different use cases, but it may be > helpful to learn from the different implementations, if for no other > reason than to be sure they interoperate. I'm going to turn on > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC > turned on to see what happens... I was unaware of the dnssec-trigger stuff, which makes sense especially on mobiles transiting captive-portal environments. I would also like openwrt's captive portal stuff to work better. I was also unaware of unbound's clever suspend resume support for clearing the local cache. > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
