[Nottingham] Dnscrypt: bleeding edge privacy - HowTo
Martin
martin at ml1.co.uk
Wed May 30 12:18:23 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/05/12 22:56, Mike Cardwell wrote:
> On 28/05/12 22:47, Martin wrote:
[---]
>
>> So... Is anything special needed to run DNSSEC through the
>> VirginMedia DNS servers?
>
>> Any other (faster?) alternatives than the Google open DNS?
>
> Why do you have to forward through somebody elses DNS servers? Why
> can't you just leave Bind to perform the full resolution?
Done that and it works fine, including for dnssec. Your example domain
returns a good result.
I've set (Bind9):
options {
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
// Various other stuff
};
And:
zone "." IN {
type hint;
file "named.cache";
};
for the root servers list. (Gentoo calls the file named.cache rather
than the more understandable root.hints :-( )
Is there any need to add:
dnssec-lookaside "." trust-anchor "dlv-registry.org.";
?
That's not in at the moment.
The initial lookups appear to be a little slower than for non-dnssec
forwarding via VirginMedia's dns caches.
Can the root servers withstand everyone abandoning their ISP's dongled
DNS caches?...
Next question is for how to add DNSSEC to my own domains... ;-)
Cheers,
Martin
- --
- - ------------------ - ----------------------------------------
- - Martin Lomas - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- - martin @ ml1 co uk - Import from hkp://subkeys.pgp.net or
- - ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/GEFAACgkQ+sI3Ds7h07fl2wCeIMk/N9W+D37WMrn+sIEjBG4G
G14AmwcyUD4rq+DDFCBZeKEHnIqsKnxq
=aYls
-----END PGP SIGNATURE-----
More information about the Nottingham
mailing list