[Dnssec-trigger] Overriding DHCP DNS Server

Petr Menšík pemensik at redhat.com
Wed Aug 1 16:31:57 UTC 2018

Hello Zach,

I am afraid dnssec-trigger will not help you in such configuration. I
think you might want to try stubby instead. It is packaged inside
package getdns on Fedora.

Dnssec-trigger is great tool to avoid non-compliant resolvers.
Unfortunately it does not solve privacy (DNS over TLS) in any way. It
uses unbound, which is not great at DNS over TLS (yet). It just makes
sure your DNS server can pass DNSSEC records to unbound running on
localhost. And verifies DNS records.

Dnssec-trigger does not use any public keys for validation. New trust
anchor can be configured in /etc/unbound/keys.d. I doubt that is what
were you looking for. Take a look at stubby, I think that is what do you
want. Use of dnssec-trigger in hotspot mode and different forwarder in
secure mode is not supported. Unbound could be used with stubby, when
you change forwarding of "." to it using unbound-control. I do not know
if it makes sense to automate it from dnssec-trigger. I think it is
complicated. Unless you want to play with it a lot.

I would suggest running dnssec-triggerd manually when you are on hostile
hotspot. Stop it and start stubby when you want more privacy. Stubby
will never use DNS server from DHCP, which is kind of reason to have

On 07/10/2018 08:16 PM, Zach Lym wrote:
> What's the best way to go about specifying a DNS server (along with
> the public key) in a way that meshes well with DNSSEC-Trigger? Is it
> possible to do this without interfering with the captive portal
> process?
> See also: https://ask.fedoraproject.org/en/question/123084/dnssec-overriding-dhcp-resolver-securely/
> Thank you,
> -Zach Lym
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the dnssec-trigger mailing list