On Thu, Oct 24, 2019 at 12:24:22PM +0200, Otto Moerbeek wrote: > On Thu, Oct 24, 2019 at 11:27:24AM +0100, Kevin Chadwick wrote: > > > > > > The purpose of unwind is to provide secure DNS services even when > > > the available nameservers are broken or filtered like in many hotels. > > > To do that, it prefers DNSSEC whenever possible and changes to do > > > resolving by itself if needed. > > > > > > DNSSEC only offers integrity and authenticity. To protect > > > eavesdropping on the requests in transit, encryption is needed, as > > > offered by e.g. DNS over TLS (DoT) and DNS over HTTP (DoT). unwind > > > > Before I jump aboard with DNSSECs failings in mind on my own networks rather > > than the mentioned hotel scenario. I believe but I am still not certain that > > services like PowerDNS have secure channels to the main primary DNS servers > > that > > apparently do not scale for the rest of us? Otherwise I worry that the > > network > > security target is a more singular centralised target compared to e.g. > > unbound. > > > > Guess what the default config of unwind does: it runs a local resolver > and learns from DHCP. It will select either one, with DNSSEC working > preferred. DNSSEC operations if sometimes blocked by crappy > middleware. Unwind's resolver is basically a buit-in simple unbound, > the code uses libunbound. > > So the default config of unwind addresss both your concerns. > > -Otto >
To elaborate: unwind checks if DNSSEC works on any source and switches back to non-validation if needed. The whole point of unwind is that it will try to provide the best DNS service possibe in any circumstance. -Otto