On May 30, 2013, at 7:02 PM, Viktor Dukhovni <[email protected]> wrote:
>> How does that help if you can't retrieve DNSSEC records? > > The Google 8.8.8.8 DNS cache does return DNSSEC records, as shown > below: So clients that can reach 8.8.8.8 or similar, can bypass > their ISP's cache when the ISP cache is DNSSEC hostile. > > The remaining issue is jailed clients joining hotspots, ... that > may not be able to reach any external DNS servers. This too can > be addressed (for example via the "CD" bit and HTTP and perhaps > a UI for joining networks that disables DNSSEC until the mobile > device is out of jail). I am very interested in the last-mile and one of the ways we've tried to approach the last mile is by allowing folk to try. Enter dnssec-trigger, a tool that does some config magic and allows you to run a validating resolver on 127.0.0.1. At this moment it is clear to me that what we've done is not yet at the consumer level, on the other hand we are building a corpus of operational experience on the type of problems people run into. I invite/encourage folk to try the tool and help us build experience by sharing their experiences on the dnssec-trigger mailinglist. My personal experience is that you will need to understand a bit of troubleshooting and an occassional "unbound-control flush_zone ." to get you out of misery. (See https://www.nlnetlabs.nl/projects/dnssec-trigger/ which is signed by CACERT, for which most of you will not have a trust-anchor in their browser, however it www.nlnetlabs.nl comes with a TLSA record, oh irony) --Olaf PS Chairs, I accept a slap if this is on the wrong side of the border of promotion.
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
