On Wed, Jul 29, 2020 at 03:51:17PM +0200, Sebastian Benoit wrote: > If i remember correctly, the fallout was caused by EDNS but i might be > wrong. The unbound commit caused a developer some headscratching, because > his upstream internet did not work with such packets, which led to immediate > backout of the change, because a default config that does not work is not > good.
It was time. Running DNSSEC validation on a system without an RTC is not a good idea. NTP could not fix this because it depends on working DNS. This has since been addressed by Otto. The edns problem is well understood and has nothing to do with turning DNSSEC validation on in unbound since unbound always sends an edns0 option. So if your network sucks so badly that you can't edns0 you can't use unbound, period. -- I'm not entirely sure you are real.
