What's new

[384.11_Alpha - builds] Testing all variants.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Would rather DNSSEC validation be kept with getdns/stubby. Have not found that dnsmasq retrieves root keys dynamically where stubby does.

Dnsmasq is a more logical location for this to occur:

- Dnsmasq can cache results, so it improves performance as multiple queries can be required to validate a record
- Dnsmasq has been proven to work well, and has a stricter DNSSEC validation than getdns (AFAIK)
- Dnsmasq is intended as the multi-role service, Stubby is merely a bridge between dnsmasq and DoT servers, design-wise it makes little sense to also move some of the burden of validating results to Stubby.
- It makes debugging easier, as dnsmasq has extensive logging capabilities
- Automatic retrieval of keys is something I see as a potential security risk (they could get compromised, compared to built-in keys), or failure to retrieve the keys could break your whole network (if the key repository goes down / changes location / gets blocked by your ISP/Country).
 
Dnsmasq is a more logical location for this to occur:

- Dnsmasq can cache results, so it improves performance as multiple queries can be required to validate a record
- Dnsmasq has been proven to work well, and has a stricter DNSSEC validation than getdns (AFAIK)
- Dnsmasq is intended as the multi-role service, Stubby is merely a bridge between dnsmasq and DoT servers, design-wise it makes little sense to also move some of the burden of validating results to Stubby.
- It makes debugging easier, as dnsmasq has extensive logging capabilities
- Automatic retrieval of keys is something I see as a potential security risk (they could get compromised, compared to built-in keys), or failure to retrieve the keys could break your whole network (if the key repository goes down / changes location / gets blocked by your ISP/Country).
I can't wait to test this out. It will be alot nicer to see dnsmasq doing it's job in conjunction with stubby.
 
I can't wait to test this out. It will be alot nicer to see dnsmasq doing it's job in conjunction with stubby.
+1 I couldn't agree more!! ;):)
 
Status
Not open for further replies.

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top