On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> > Furthermore, you
> > can enable DNSSEC validation in your resolver before your own domain
> > is signed. The two are independent.
>
> Wait, what? You can?
Sure, you can validate other people's domains even if your own
domain is not signed. These are independent.
> > It only takes a few minutes to configure a validating recursive
> > resolver. Install unbound and make sure it performs automatic
> > tracking of the root zone DNSKEY.
>
> unbound is better than bind for this sort of thing? (I noticed freeBSD 10 has
> switched from bind to unbound, I expect they have good reason).
BIND is fine too, but I've not looked at how it is packaged on
various systems. I know that the unbound package typically includes
scripts to automatically handle root zone key rollover. Perhaps
modern BIND packages do that also.
--
Viktor.
