DNSSEC/unbound -> boingboing.net failures
Florian Weimer
fweimer at redhat.com
Tue Jun 30 20:23:13 UTC 2015
On 06/30/2015 07:01 PM, Paul Wouters wrote:
> With that many CNAMEs requiring validation and intermittent failure, my guess is your wifi is dropping a significant amount of queries.
It could also be NAT state table overflow.
> This is a case where shorter negative cache lifetimes should help a lot. This should come into dnssec-trigger very soon.
If it's the state table overflow, this won't help and could make the
situation worse.
Disabling DNS prefetching in the browser might improve things. So would
using TCP. Few consumer NAT devices are optimized for DNS over UDP with
active source port randomization. (It's difficult to configure this
even with iptables because the relevant tools are undocumented.)
Disabling various Unbound hardening options also reduces the number of
flows needed. In the end, it could be necessary to perform queries for
which a secure answer is expected with a constant source port.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list