[Nottingham] Dnscrypt: bleeding edge privacy - HowTo

Martin martin at ml1.co.uk
Wed May 30 12:18:23 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/05/12 22:56, Mike Cardwell wrote:
> On 28/05/12 22:47, Martin wrote:
[---]
> 
>> So... Is anything special needed to run DNSSEC through the 
>> VirginMedia DNS servers?
> 
>> Any other (faster?) alternatives than the Google open DNS?
> 
> Why do you have to forward through somebody elses DNS servers? Why 
> can't you just leave Bind to perform the full resolution?

Done that and it works fine, including for dnssec. Your example domain
returns a good result.


I've set (Bind9):

options {

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

// Various other stuff

};

And:

zone "." IN {
        type hint;
        file "named.cache";
};

for the root servers list. (Gentoo calls the file named.cache rather
than the more understandable root.hints :-( )


Is there any need to add:

dnssec-lookaside "." trust-anchor "dlv-registry.org.";

?

That's not in at the moment.


The initial lookups appear to be a little slower than for non-dnssec
forwarding via VirginMedia's dns caches.

Can the root servers withstand everyone abandoning their ISP's dongled
DNS caches?...


Next question is for how to add DNSSEC to my own domains... ;-)

Cheers,
Martin

- -- 
- - ------------------ - ----------------------------------------
- -    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- - martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- - ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/GEFAACgkQ+sI3Ds7h07fl2wCeIMk/N9W+D37WMrn+sIEjBG4G
G14AmwcyUD4rq+DDFCBZeKEHnIqsKnxq
=aYls
-----END PGP SIGNATURE-----



More information about the Nottingham mailing list