On Sep 10, 2013, at 7:17 PM, Brian E Carpenter <brian.e.carpenter@xxxxxxxxx> wrote: > On 11/09/2013 09:59, Olafur Gudmundsson wrote: > ... >> My colleagues and I worked on OpenWrt routers to get Unbound to work there, what you need to do is to start DNS up in non-validating mode >> wait for NTP to fix time, then check if the link allows DNSSEC answers through, at which point you can enable DNSSEC validation. > > Hopefully you also flush the DNS cache as soon as NTP runs. Even so, > paranoia suggests that a dodgy IP address might still be cached in > some app. > > Brian Flushing cache is a good idea, and dnssec-trigger does this when it "upgrades" the unbound from recursor to validator. Olafur