On Thu, 4 Oct 2012, Ondrej Mikle wrote:
Notes on unbound and defaults:
- I suggest to avoid using forwarder (ub_ctx_set_fwd) as most commonly deployed
recursive DNS resolvers at ISPs will fail for DNSSEC (usually due to DS
records).
Really? When google dns fixed DS handling, I thought basically all that
went away. Perhaps not when using opendns, but really, we can't support
opendns one way or the other.
It's generally better to try to use the DHCP obtained DNS as forwarder,
as many hotspot block port 53 for all but their local resolver.
Instead use libunbound as full recursive resolver. It will take few
queries to get its cache heated, but it's rather quick unless you go over a very
slow network like Tor.
Yes, but with prefetching and hopefully running the libunbound in the
app with resolver 127.0.0.1, performance should be pretty good as most
of the root/TLD domains are already in the unbound daemon cache, and the
crypto for the libunbound instance is pretty cheap.
- Attempting to use ub_ctx_hosts() with the default locations on the other hand
might be a good idea in preserving user's mappings for local machines, etc.
Yeah, keep those. That's what I did as well for the openswan dnssec
patch.
- Some distros like Fedora, RHEL and clones distribute unbound with root
anchors, some like Debian/Ubuntu don't. But I generally wouldn't count on the
key being present on a typical user's machine.
See the other discussion about compiled in key locations for the
library. I think that's a good idea.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
