On Sep 10, 2013, at 7:17 PM, Brian E Carpenter
<brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com> wrote:
On 11/09/2013 09:59, Olafur Gudmundsson wrote:
...
My colleagues and I worked on OpenWrt routers to get Unbound to work there,
what you need to do is to start DNS up in non-validating mode
wait for NTP to fix time, then check if the link allows DNSSEC answers
through, at which point you can enable DNSSEC validation.
Hopefully you also flush the DNS cache as soon as NTP runs. Even so,
paranoia suggests that a dodgy IP address might still be cached in
some app.
Brian
Flushing cache is a good idea, and dnssec-trigger does this when it "upgrades"
the unbound from recursor to validator.
Olafur