On Thu, Oct 24, 2019 at 12:24:22PM +0200, Otto Moerbeek wrote:
> On Thu, Oct 24, 2019 at 11:27:24AM +0100, Kevin Chadwick wrote:
>
> >
> > > The purpose of unwind is to provide secure DNS services even when
> > > the available nameservers are broken or filtered like in many hotels.
> > > To do that, it prefers DNSSEC whenever possible and changes to do
> > > resolving by itself if needed.
> > >
> > > DNSSEC only offers integrity and authenticity. To protect
> > > eavesdropping on the requests in transit, encryption is needed, as
> > > offered by e.g. DNS over TLS (DoT) and DNS over HTTP (DoT). unwind
> >
> > Before I jump aboard with DNSSECs failings in mind on my own networks rather
> > than the mentioned hotel scenario. I believe but I am still not certain that
> > services like PowerDNS have secure channels to the main primary DNS servers
> > that
> > apparently do not scale for the rest of us? Otherwise I worry that the
> > network
> > security target is a more singular centralised target compared to e.g.
> > unbound.
> >
>
> Guess what the default config of unwind does: it runs a local resolver
> and learns from DHCP. It will select either one, with DNSSEC working
> preferred. DNSSEC operations if sometimes blocked by crappy
> middleware. Unwind's resolver is basically a buit-in simple unbound,
> the code uses libunbound.
>
> So the default config of unwind addresss both your concerns.
>
> -Otto
>
To elaborate: unwind checks if DNSSEC works on any source and switches
back to non-validation if needed. The whole point of unwind is that it
will try to provide the best DNS service possibe in any circumstance.
-Otto
