how important is configuring DNSSEC root trust anchor for 'unbound' running on an exit node?
Is it important to configure the DNSSEC trust-anchor for an instance of 'unbound' running on an exit node? I put a lot of work into setting up a new exit and want to take a break, but just noticed this item. 'unbound' was built from source rather than installed from a distribution, so this step must be performed manually. The relay resides in the high-quality German LeaseWeb network and the risk of DNS mischief appears low.
Spent a few minutes activating the DNSSEC trust-anchor for 'unbound'.
Ran 'dig' on a few signed domains and observed that queries that took under 50 milliseconds without went to 2000 milliseconds with.
My attitude toward DNSSEC has deteriorated steadily over time and this finishes it off for me. It's simply not worth the cost. Many serious folk have commented in detail on what a horror show it is.
Disabled it on the exit.
Without DNSSEC, 'unbound' has been reporting:
server stats for thread 0: 1296326 queries, 454942 answers from cache, 841384 recursions, 0 prefetch server stats for thread 0: requestlist max 112 avg 28.1553 exceeded 0 jostled 0 histogram of recursion processing times [25%]=0.00737672 median[50%]=0.0492239 [75%]=0.144125 ...
tor-relays@lists.torproject.org
-
Dhalgren Tor