* Ivan Vilata i Balaguer (i...@selidor.net) wrote: > Package: dnscrypt-proxy > Version: 1.4.3-2 > Severity: normal > > Hi! The README of ``dnscrypt-proxy`` recommends using Unbound as a DNS > caching resolver in combination with it. However, Unbound enables DNSSEC and > the default configuration of ``dnscrypt-proxy`` sets > ``DNSCRYPT_PROXY_RESOLVER_NAME=opendns`` in its default file. The problem is > that OpenDNS servers disable DNSSEC, which results in Unbound rejecting the > responses coming from the proxy and name resolution failing, as explained > here: https://forums.opendns.com/comments.php?DiscussionID=15361#Item_9 > > I suggest to change the default to a different one (e.g. the ``dnscrypt.eu-*`` > servers seem to work), or to add a short comment in the default file warning > about OpenDNS servers and DNSSEC. > > Thanks!
Yikes. I wasn't aware that OpenDNS did that. That does make them a rather poor default. The reason I chose it was that it has servers all over the place (https://www.opendns.com/data-center-locations/) and uses anycast, so it should be fast no matter where you are located. The dnscrypt.eu-* servers are going to be a poor choice for folks outside of Europe. It's unfortunate but there may be no sane default. It may be necessary to do some debconf work here to present some options. This will require some thought. -- Eric Dorland <e...@kuroneko.ca> 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93
signature.asc
Description: Digital signature
