> On Oct 27, 2017, at 12:34 AM, g...@pztop.com wrote: > > For the DNS part (condition 1) I run a local bind DNS server. The named.conf > have lines: > > forward only; > forwarders { > 8.8.8.8; > 8.8.4.4; > }; > > dnssec-enable yes; > dnssec-validation yes;
Personally, I would not choose to forward all my DNS queries to Google they collect enough information about everyone already. Otherwise, this is fine, but you also need to make sure that you've implemented RFC 5011 automatic root trust anchor rollover. While the originally planned root key was postponed from this month to some time in 2018, it will eventually happen. So every reading this list who's using a validating resolver needs to be sure that their resolvers are doing automated root zone key tracking. -- Viktor.