On 2018-04-30 at 12:26 -0400, Paul Wouters via Unbound-users wrote: > On Mon, 30 Apr 2018, Phil Pennock via Unbound-users wrote: > > You needed Unbound before. Are you _sure_ you still need it? It might > > be that systemd-resolved does what you need now. > > Does systemd-resolved still sends out your query over ALL interfaces' > DNS servers and trusts the FIRST answer that comes back regardless of > DNSSEC status?
Pass: it lacked the configurability I needed to be a viable option for the deployment where I was looking. EC2 instance, needs access to resolve "internal." and "amazonaws.com." using the in-VPC Amazon-provided DNS resolvers, for customized results, but resolving everything else via direct resolution, because Amazon's resolvers break DNSSEC. So I had a solid basis for sticking with Unbound, so that I could get validation for everything except the domains which _have_ to be passed onto certain upstreams. Cue much cussing yesterday. On the bright side, I got a debugged setup in time to share details to help someone else. -Phil
