On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> On 24 Feb 2014, at 06:09 , Viktor Dukhovni
> <postfix-us...@dukhovni.org> wrote:
> > On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> >
> > Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
> > mailserver has TLSA records. Enabling DNSSEC does not prevent
> > you from communicating with the rest of the world. Furthermore,
> > you can enable DNSSEC validation in your resolver before your
> > own domain is signed. The two are independent.
>
> Wait, what? You can?
My zone "nodns4.us" is signed. You can set up your resolver to verify
these signatures. Later on you might want to sign "kreme.com", and
indeed, this has nothing to do with your local resolver.
> Hmmm... Hover.com is still not supporting DNSSEC, but I can still
> validate my domains?
>
> That's not exactly what you said, is it?
Does your domain registrar control (or even ask to control) what you
list in your /etc/resolv.conf file? Mine doesn't. And my resolv.conf
points to "nameserver 127.0.0.1", my own local resolver, which does
perform DNSSEC validation.
> > It only takes a few minutes to configure a validating recursive
> > resolver. Install unbound and make sure it performs automatic
> > tracking of the root zone DNSKEY.
>
> unbound is better than bind for this sort of thing? (I noticed
"Better" is subjective. I doubt it. It is trivial to enable DNSSEC
validation in BIND. In fact it almost works out of the box. There's
only one thing to set, in the named.conf(5) options stanza, to wit:
options {
[ ... ]
dnssec-validation auto;
};
(Offer void where taxed or prohibited, or if your BIND version is
unsupported/EOL. Right now that means BIND 9.7 and earlier -- now
including the recently retired 9.6-ESV branch.)
> freeBSD 10 has switched from bind to unbound, I expect they have
> good reason).
And the FreeBSD BIND package has defined empty zones for years,
despite the BIND empty zones feature which has existed all along.
Perhaps their reasons are rooted in misunderstandings of BIND?
I can't say anything good or bad about unbound, never having used
anything other than BIND. I've had no reason to change.
> >> My Registrar said today:
> >> "Sorry, currently it is not possible to use DNSSec for domains
> >> registered here."
> >
> > Vote with your feet. I'm transferring my domains to a registrar
> > with better DNSSEC support (and incidentally lower price).
>
> Yes, well, in general registrars kind of suck, and hover doesn't
> suck. But yes, they need to get DNSSEC sorted.
I'd call lack of DNSSEC support a serious drawback. I'm on Godaddy
for now, but I'm probably going to jump ship to GKG.net. They make
the claim to be DNSSEC-friendly. It sounds like you can run your
master nameserver and sign your zone, and they will provide slave
(secondary) name service for free (included with the domain
registration cost.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
