Contributed by rueda on from the +dnssec-take-two dept.
DNSSEC validation has been enabled in the default
The relevant commits were
Job Snijders (
CVSROOT: /cvs Module name: src Changes by: email@example.com 2019/11/07 05:49:45 Modified files: etc : unbound.conf Log message: Enable DNSSEC validation in unbound by default OK deraadt@ otto@
Stuart Henderson (
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2019/11/07 08:46:37 Modified files: etc : unbound.conf Log message: Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf. ok florian@
This was attempted late last year, but reverted because of difficulties bootstrapping machines with incorrect clocks.
Also relevant are
from Theo de Raadt (
CVSROOT: /cvs Module name: src Changes by: email@example.com 2019/11/06 12:04:12 Modified files: etc : ntpd.conf Log message: Perform contraint validation against 18.104.22.168 and 2620:fe::fe also (which avoids DNS lookups entirely, but yes this https is correctly validated) long discussions with otto, florian, and the quad9 crew.
and some of the work by Otto Moerbeek (
otto@) upon which we
(Comments are closed)