[getdns-users] First release candidate for getdns-1.2.1 - but still trouble
A. Schulze
sca at andreasschulze.de
Sun Nov 12 13:58:03 UTC 2017
Am 10.11.2017 um 17:18 schrieb Willem Toorop:
> Thanks Andreas,
>
> I think I know what the issue is. Your /etc/resolv.conf is pointing to
> 127.0.0.1, and that will be used to do the DNS queries to start Zero
> configuration DNSSEC (i.e. lookup of data.iana.org). However doing a
> query to Stubby listening on 127.0.0.1, in turn triggers another lookup
> for data.iana.org etc. because it wants to validate.
stubby worked as I changed the setup:
* /etc/resolv.conf contain "nameserver 127.0.0.1"
* unbound listen on 127.0.0.1 and could serve "data.iana.org"
* stubby listen on ::1
* ~/.getdns/ don't exist
# stubby &
$ dig @::1 getdnsapi.net.
-> answer
> So there is clearly a chicken and egg problem here that needs to be
> resolved. Unfortunately sending the meta queries with the CD flag
> (checking disabled) won't help, because this is translated in stubby to
> the dnssec_return_all_statuses extension, which will also trigger Zero
> configuration DNSSEC.
>
> I have to rethink the meta queries for Zero configuration DNSSEC, which
> is inline with what I'm planning to do at the IETF hackathon (i.e. DANE
> authenticating DNS-over-TLS upstreams, which also involves meta-queries
> which cannot be done without working upstream!). So if you don't mind,
> I will release 1.2.1 which has a lot of stability fixes anyway, and
> create an github issue for this specific problem, to be addressed in
> (hopefully) an soon future release.
I created an issue on github...
Andreas
More information about the Users
mailing list