Contributed by rueda on from the +dnssec-take-two dept.
DNSSEC validation has been enabled in the default
unbound.conf(5)
in -current.
The relevant commits were
from
Job Snijders (job@
)
CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2019/11/07 05:49:45 Modified files: etc : unbound.conf Log message: Enable DNSSEC validation in unbound by default OK deraadt@ otto@
and
from
Stuart Henderson (sthen@
)
CVSROOT: /cvs Module name: src Changes by: sthen@cvs.openbsd.org 2019/11/07 08:46:37 Modified files: etc : unbound.conf Log message: Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf. ok florian@
This was attempted late last year, but reverted because of difficulties bootstrapping machines with incorrect clocks.
Also relevant are
this commit
from Theo de Raadt (deraadt@
)
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2019/11/06 12:04:12 Modified files: etc : ntpd.conf Log message: Perform contraint validation against 9.9.9.9 and 2620:fe::fe also (which avoids DNS lookups entirely, but yes this https is correctly validated) long discussions with otto, florian, and the quad9 crew.
and some of the work by Otto Moerbeek (otto@
) upon which we
reported earlier.
(Comments are closed)