[tor-relays] how important is configuring DNSSEC root trust anchor for 'unbound' running on an exit node?

Dhalgren Tor dhalgren.tor at gmail.com
Sat Oct 3 21:21:24 UTC 2015

Spent a few minutes activating the DNSSEC trust-anchor for 'unbound'.

Ran 'dig' on a few signed domains and observed that queries that took
under 50 milliseconds without went to 2000 milliseconds with.

My attitude toward DNSSEC has deteriorated steadily over time and this
finishes it off for me.  It's simply not worth the cost.  Many serious
folk have commented in detail on what a horror show it is.

Disabled it on the exit.

Without DNSSEC, 'unbound' has been reporting:

server stats for thread 0: 1296326 queries, 454942 answers from cache,
841384 recursions, 0 prefetch
server stats for thread 0: requestlist max 112 avg 28.1553 exceeded 0 jostled 0
histogram of recursion processing times
[25%]=0.00737672 median[50%]=0.0492239 [75%]=0.144125

More information about the tor-relays mailing list