id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,fix_version,see_also 1314,debathena-dns-config should provide a DNSSEC-validating resolver,achernya,,"MIT's current nameservers do not do any DNSSEC validation, and even if they did, MIT's network is sufficiently wide-area that it would be unwise to trust their responses. Instead, we should ship a DNSSEC-aware caching resolving, such as bind9 or unbound. dnsmasq is not sufficient as it does not have any code to do the validation. This will provide benefits to any and all applications that are using DNS by stripping records with invalid signatures of all deployments that have DNSSEC keys. No further application support is needed, and will even provide benefit to Hesiod. A version of bind9 with DNSSEC-validation is currently running on linerva-dev, with manual modifications based on the version of debathena-dns-config that was shipped for Squeeze. It looks like unbound will do DNSSEC out-of-the-box when I tried it on my Wheezy VM. Note that this conflicts with #1131.",enhancement,new,high,Current Semester,paranoia,,,,,