Feature #47
DNSSEC validation support for BitFolk resolvers
| Status: | Closed | Start: | 2010-11-08 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 2 |
Description
BitFolk currently operates two customer-facing resolvers, which every customer VPS typically has set in /etc/resolv.conf. One of the resolvers in BIND 9, the other is Unbound running with the validator module disabled. Therefore neither is validating DNSSEC at present.
I would probably like to change the BIND 9 resolver to Unbound first, which will require a bit of work, but after that it should be trivial to enable the validator module. This would result in DNS queries that fail validation returning SERVFAIL instead of an answer.
History
Updated by admin over 13 years ago
The BIND/Unbound resolvers have been replaced with a cluster of Unbound resolvers, so validation can be turned on whenever. We will announce a turn-on date in February 2012.
Updated by halleck about 13 years ago
Status?
Updated by admin about 13 years ago
Oops, February came and went. The only thing preventing us turning on validation is that I still don't feel comfortable in working out the causes of validation failures. At home I run unbound in validation mode and in the last two months I've seen failures for nasa.gov and pool.ntp.org that I was unable to explain, although admittedly I didn't spend a lot of time on it. So I'm afraid this is blocked on me learning more about DNSSEC.
Of course there is nothing stopping you running a validating resolver on your own VPS. All you miss is the cache of other customers' lookups.
Updated by admin over 11 years ago
- Status changed from New to Closed
Validating resolvers have been in use for some time now.