> On Oct 27, 2017, at 12:34 AM, g...@pztop.com wrote:
>
> For the DNS part (condition 1) I run a local bind DNS server. The named.conf
> have lines:
>
> forward only;
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
>
> dnssec-enable yes;
> dnssec-validation yes;
Personally, I would not choose to forward all my DNS queries to
Google they collect enough information about everyone already.
Otherwise, this is fine, but you also need to make sure that you've
implemented RFC 5011 automatic root trust anchor rollover. While
the originally planned root key was postponed from this month to
some time in 2018, it will eventually happen. So every reading
this list who's using a validating resolver needs to be sure that
their resolvers are doing automated root zone key tracking.
--
Viktor.
