[Dnssec-trigger] dnssec-triggerd behaviour when hotspot_signon called

Tomas Hozza thozza at redhat.com
Wed Dec 4 16:23:49 UTC 2013


----- Original Message -----
> On Wed, 4 Dec 2013, Tomas Hozza wrote:
> 
> > I would like to discuss if the dnssec-triggerd behaviour
> > when doing hot spot sign-on is really correct. At the moment
> > dnssec-trigger writes nameservers obtained from DHCP into
> > the /etc/resolv.conf on Linux.
> >
> > Wouldn't be better if it would set DNS servers obtained
> > from DHCP (regardless if they support DNSSEC) as forwarders
> > in unbound and also disable the validator module?
> >
> > When going back to the "secure" mode it could just enable
> > the validator module and do the reprobing and set forwarders
> > based on the probing results.
> 
> No, that would contaminate your cache.

Good point. Unfortunately FWIK the validator module can be
disabled only by changing the configuration file. For changes
to be used you'd need to reload unbound, which would result
in flushing the cache completely.

Regards,

Tomas



More information about the dnssec-trigger mailing list