On Sep 10, 2013, at 7:17 PM, Brian E Carpenter <[email protected]>
wrote:
> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
> ...
>> My colleagues and I worked on OpenWrt routers to get Unbound to work there,
>> what you need to do is to start DNS up in non-validating mode
>> wait for NTP to fix time, then check if the link allows DNSSEC answers
>> through, at which point you can enable DNSSEC validation.
>
> Hopefully you also flush the DNS cache as soon as NTP runs. Even so,
> paranoia suggests that a dodgy IP address might still be cached in
> some app.
>
> Brian
Flushing cache is a good idea, and dnssec-trigger does this when it "upgrades"
the unbound from recursor to validator.
Olafur
