On Sun, Apr 13, 2014 at 01:59:41PM -0400, Chuck Anderson wrote: > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote: > > > > > Is there a "D"? > > > > Running a full resolver in cerowrt? I've been running a dnssec-enabled bind > > for some time on my boxes (prior to dnssec support in dnsmasq). > > How do these proposals compare with unbound+dnssec-trigger in the > Fedora world? I stirred up a rats nest: > > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html > > I realize these are slightly different use cases, but it may be > helpful to learn from the different implementations, if for no other > reason than to be sure they interoperate. I'm going to turn on > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC > turned on to see what happens...
The first effect of using a client-side DNSSEC validator is that gw.home.lan doesn't work: Apr 20 00:12:32 a unbound[1885]: [1885:1] info: validation failure <gw.home.lan. A IN>: no NSEC3 records from 172.30.42.65 for DS lan. while building chain of trust To make this work, you have to tell unbound that home.lan is an insecure domain: unbound-control insecure_add home.lan. _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
