Contributed by rueda on from the +dnssec dept.
With this
commit,
Florian Obser (florian@) enabled DNSSEC validation in the default
unbound.conf(5)
in -current:
CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2018/12/07 02:21:08 Modified files: etc : unbound.conf Log message: Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
There's also a related
entry
in the
"Following -current and using snapshots" FAQ.
Update: The change has been reverted:
CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2018/12/11 12:16:36 Modified files: etc : unbound.conf Log message: the world is not ready for dnssec enabled by default
(Comments are closed)
By Damon (oneofthedamons) undeadly@damon.sarahsempire.com on
What happened?
Comments
By Oon Dead Lii (oondeadly) on
I can only speculate, but some people might have encountered the same problems as we have realized: the world is not ready. When we switched, e.g. xerox messed up their dnssec setup. Windows driver installation aborted with a weird error - I realized that the install procedure downloads an xml file, but the hostname could not be resolved because they really had a mess. VmWare also messed it up, we could not update our ESXi servers. hP was not better: some ILOM bugs forced us to update the firmware, but there were also problems. and so forth. So we switched back to normal dns.
By Otto Moerbeek (ottom) otto@drijf.net on
It was more of a question of bootstrapping a machine without a proper clock.
To use ntp to set the clock initially, it must resolve a DNS name. To resolve a name with DNSSEC, the clock must be more or less right.
Comments
By Daniel Gracia (Paladdin) guardame_el_secreto@yahoo.es on https://www.egracia.es
That would suppose a serious handicap for our octeon machines (all of which miss a proper RTC).