dnssec?

Suggest improvements and new features for Gargoyle.

Moderator: Moderators

Post Reply
dumas777
Posts: 14
Joined: Wed Oct 31, 2012 4:41 pm

dnssec?

Post by dumas777 »

It should be possible to build the default dnsmasq included with gargoyle with at least dnssec support compiled in. I ended up building it myself using dnsmasq-full to fully get dnssec working ( with dnssec-check-unsigned working woot) but this will be a hassle to do every gargoyle release. I also had to patch privoxy to get it to the latest 3.0.23 version but I will have to take that upstream to openwrt. Other than that Gargoyle is awesome right out of the box.

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: dnssec?

Post by ispyisail »

is the overhead a problem?

tapper
Moderator
Posts: 1076
Joined: Sun Oct 13, 2013 5:49 pm
Location: Stoke-on-trent UK

Re: dnssec?

Post by tapper »

ispyisail wrote:is the overhead a problem?
+1?
Linksys WRT3200ACM
NETGEAR Nighthawk R7800
NETGEAR R6260

dumas777
Posts: 14
Joined: Wed Oct 31, 2012 4:41 pm

Re: dnssec?

Post by dumas777 »

ispyisail wrote:is the overhead a problem?
Not for my wndr3700v2 but yes it does generate more port 53 traffic (obviously). I am not sure there would be much more overhead if the dnssec support was compiled in (but not enabled by default) other than than the gargoyle image would be bigger due to the binary being bigger and libgmp (can get rid of dependency I think but haven't tried) and libnettle becoming mandatory. Actually the better solution would probably be to fix gargoyle being incompatible with dnsmasq-full due to kernel incompatibility with dependency kmod-ipv6 (dnsmasq-full provides ipv6 support but doesn't require it). That would please the small number of paranoids like me that don't trust their ISP not to dick with their DNS and yet not affect the vast majority of other users. Until then rolling your own is the work around.

Post Reply