Periodic since 2.2 pages load blank, certs invalid
-
-
They will work okay with OpenDNS? - Thanks :)
Goto…
I read that but I just wanted to confirm because I wasn't sure if you mistyped what you said due to the way it was worded.
-
-
Just to be clear, with harden glue I see no issue, but I'm not sure that opendns supports DNSSEC, so if forwarding from opendns with DNSSEC enabled, might get "nothing".
I'm not running opendns here, but seems like it didn't support DNSSEC in the past. Not sure about now.
(For me at least, trying to use DNSSEC with non-DNSSEC capable servers results in DNS failure to resolve)
-
Obviously, as already stated multiple times here, hardening features that make use of DNSSEC will do absolutely nothing useful when you are forwarding DNS queries to OpenDNS or any other open DNS server that does not support DNSSEC at all. If you want DNSSEC, stop using OpenDNS.
-
Final followup here for me (I hope): Unbound 1.5.2rc1 has just been released, http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html
Interesting part of the release notes in our case:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.According to Chris in Redmine, this should be fixed in 2.2.1.