Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Paul Wouters
Fri Oct 5 00:15:09 CEST 2012

On Thu, 4 Oct 2012, Ondrej Mikle wrote:

> Notes on unbound and defaults:
> - I suggest to avoid using forwarder (ub_ctx_set_fwd) as most commonly deployed
> recursive DNS resolvers at ISPs will fail for DNSSEC (usually due to DS
> records).

Really? When google dns fixed DS handling, I thought basically all that
went away. Perhaps not when using opendns, but really, we can't support
opendns one way or the other.

It's generally better to try to use the DHCP obtained DNS as forwarder,
  as many hotspot block port 53 for all but their local resolver.

> Instead use libunbound as full recursive resolver. It will take few
> queries to get its cache heated, but it's rather quick unless you go over a very
> slow network like Tor.

Yes, but with prefetching and hopefully running the libunbound in the
app with resolver, performance should be pretty good as most
of the root/TLD domains are already in the unbound daemon cache, and the
crypto for the libunbound instance is pretty cheap.

> - Attempting to use ub_ctx_hosts() with the default locations on the other hand
> might be a good idea in preserving user's mappings for local machines, etc.

Yeah, keep those. That's what I did as well for the openswan dnssec

> - Some distros like Fedora, RHEL and clones distribute unbound with root
> anchors, some like Debian/Ubuntu don't. But I generally wouldn't count on the
> key being present on a typical user's machine.

See the other discussion about compiled in key locations for the
library. I think that's a good idea.