* Viktor Dukhovni <postfix-users@postfix.org>: > On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote: > > > > Furthermore, you > > > can enable DNSSEC validation in your resolver before your own domain > > > is signed. The two are independent. > > > > Wait, what? You can? > > Sure, you can validate other people's domains even if your own > domain is not signed. These are independent. > > > > It only takes a few minutes to configure a validating recursive > > > resolver. Install unbound and make sure it performs automatic > > > tracking of the root zone DNSKEY. > > > > unbound is better than bind for this sort of thing? (I noticed freeBSD 10 > > has switched from bind to unbound, I expect they have good reason). > > BIND is fine too, but I've not looked at how it is packaged on > various systems. I know that the unbound package typically includes > scripts to automatically handle root zone key rollover. Perhaps > modern BIND packages do that also.
Unbound is *said* to be factor 10 times faster. If you are searching for resolver only, you are fine with unbound. Be sure to run unbound-control-setup the first time and to let it create some keys or you will not be able to control your unbound resolver via command line: unbound-control flush example.com will flush the cache for example.com. Useful when you setup a DNSSEC domain or TLSA or ... and you don't get it right the first time. It so happened here ... ;) p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
