[Nottingham] Dnscrypt: bleeding edge privacy - HowTo
Mike Cardwell
nlug at lists.grepular.com
Wed May 30 19:04:14 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 30/05/12 13:19, Martin wrote:
>>> So... Is anything special needed to run DNSSEC through the
>>> VirginMedia DNS servers?
>>
>>> Any other (faster?) alternatives than the Google open DNS?
>>
>> Why do you have to forward through somebody elses DNS servers?
>> Why can't you just leave Bind to perform the full resolution?
>
> Done that and it works fine, including for dnssec. Your example
> domain returns a good result.
>
> I've set (Bind9):
>
> options {
>
> dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
>
> // Various other stuff
>
> };
>
> And:
>
> zone "." IN { type hint; file "named.cache"; };
>
> for the root servers list. (Gentoo calls the file named.cache
> rather than the more understandable root.hints :-( )
>
> Is there any need to add:
>
> dnssec-lookaside "." trust-anchor "dlv-registry.org.";
>
> ?
>
> That's not in at the moment.
I would say not. dlv-registry was created to help jump-start DNSSEC
adoption before the major TLDs started signing their zones. They now
sign them so I don't think it has much use any more.
> The initial lookups appear to be a little slower than for
> non-dnssec forwarding via VirginMedia's dns caches.
>
> Can the root servers withstand everyone abandoning their ISP's
> dongled DNS caches?...
I bet they could actually. As long as it doesn't all happen on the
same day ;) The only reason the root servers exist is to tell clients
the nameservers for "com", "net" and the other TLDs. You look that
information up once and then it sits in your cache for 2 days.
> Next question is for how to add DNSSEC to my own domains... ;-)
At the risk of being accused of spamming my own blog, you might find
this to be a good start: https://grepular.com/Understanding_DNSSEC
- --
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----
iQGGBAEBAgBwBQJPxm92MBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBFEQCACmIIT3/Ozg
zmrd++Qd8Fwvv6aAWFJ1/sYJgkcLdhNJhSwFO7XLgzcDOCkPj8xQzTDUx0rSAis5
F3xwBsW1tYC6nBbsuDd+NMz26MrtPPmIW1nNXZGgQB0QXGkovoDWGjHan+nyOOLP
LcBZppHPgjnsM9ZuCPUvMIutFQtC5VaPsqUIu6Ls1Y5OdtV+Iycwblu3Tjc6wbwA
Mi+yr0zi7dOKyAu3ztE++wxgt3VCDL6rSWqZ4/5BzzAxF63ThmjdlbxMQhDax6Z5
OH0Uq2wSeAR6GLljr3TWnfNGEl6u3rJhNbzQwgzBEQPm2xMMLSbb/tP1oJoQVwGW
UT5dVkSKNLb3
=SFai
-----END PGP SIGNATURE-----
More information about the Nottingham
mailing list