On Mon, Feb 24, 2014 at 04:38:12PM -0600, /dev/rob0 wrote:
> On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> > On 24 Feb 2014, at 06:09 , Viktor Dukhovni
> > <postfix-us...@dukhovni.org> wrote:
> > > On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> > >
> > > Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
> > > mailserver has TLSA records. Enabling DNSSEC does not prevent
> > > you from communicating with the rest of the world. Furthermore,
> > > you can enable DNSSEC validation in your resolver before your
> > > own domain is signed. The two are independent.
> >
> > Wait, what? You can?
>
> My zone "nodns4.us" is signed. You can set up your resolver to verify
> these signatures. Later on you might want to sign "kreme.com", and
> indeed, this has nothing to do with your local resolver.
>
> > Hmmm... Hover.com is still not supporting DNSSEC, but I can still
> > validate my domains?
> >
> > That's not exactly what you said, is it?
>
> Does your domain registrar control (or even ask to control) what you
> list in your /etc/resolv.conf file? Mine doesn't. And my resolv.conf
> points to "nameserver 127.0.0.1", my own local resolver, which does
> perform DNSSEC validation.
>
> > > It only takes a few minutes to configure a validating recursive
> > > resolver. Install unbound and make sure it performs automatic
> > > tracking of the root zone DNSKEY.
> >
> > unbound is better than bind for this sort of thing? (I noticed
>
> "Better" is subjective. I doubt it. It is trivial to enable DNSSEC
> validation in BIND. In fact it almost works out of the box. There's
> only one thing to set, in the named.conf(5) options stanza, to wit:
> options {
> [ ... ]
> dnssec-validation auto;
> };
> (Offer void where taxed or prohibited, or if your BIND version is
> unsupported/EOL. Right now that means BIND 9.7 and earlier -- now
> including the recently retired 9.6-ESV branch.)
>
> > freeBSD 10 has switched from bind to unbound, I expect they have
> > good reason).
>
> And the FreeBSD BIND package has defined empty zones for years,
> despite the BIND empty zones feature which has existed all along.
> Perhaps their reasons are rooted in misunderstandings of BIND?
FreeBSD changed to unbound as a local resolver not as a replacement for
the DNS server BIND. It is explicitly stated in their release notes that
the change to unbound as a local resolver, not as a replacement for
providing the DNS service.
>
> I can't say anything good or bad about unbound, never having used
> anything other than BIND. I've had no reason to change.
>
> > >> My Registrar said today:
> > >> "Sorry, currently it is not possible to use DNSSec for domains
> > >> registered here."
> > >
> > > Vote with your feet. I'm transferring my domains to a registrar
> > > with better DNSSEC support (and incidentally lower price).
> >
> > Yes, well, in general registrars kind of suck, and hover doesn't
> > suck. But yes, they need to get DNSSEC sorted.
>
> I'd call lack of DNSSEC support a serious drawback. I'm on Godaddy
> for now, but I'm probably going to jump ship to GKG.net. They make
> the claim to be DNSSEC-friendly. It sounds like you can run your
> master nameserver and sign your zone, and they will provide slave
> (secondary) name service for free (included with the domain
> registration cost.)
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
