Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Anders Sundman
Mon Jul 25 18:40:52 CEST 2011


I'm running unbound locally on and a DNS TCP proxy (ttdnsd) on The setup is a simple forward-zone; I ask unbound and unbound
asks ttdnsd:

  name: "."

Now I'm trying to get dnssec working but I've run in to some problems.

The auto-trust-anchor-file (root.key in this case) has been successfully
updated but:

$ dig com. SOA +dnssec @

doesn't set the AD flags in the response. Instead I get the following in
my logfile:

"validation failure <com. SOA IN>: key for validation com. is marked as
invalid because of a previous validation failure <com. SOA IN>:
signatures from unknown keys from for DS com. while building
chain of trust".

Querying ttdnsd with:

$ dig com. SOA +dnssec @

Gives me a SOA and RRSIG record back (but no AD).

I'm guessing this is because ttdnsd doesn't support validating dnssec

Since I trust the local instance of ttdnsd - is there any way to "skip"
that part of the validation chain and transparently "tunnel" through it?

Best regards,