Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Anders Sundman
Mon Jul 25 18:40:52 CEST 2011


Hello,

I'm running unbound locally on 127.0.0.1 and a DNS TCP proxy (ttdnsd) on
127.0.0.2. The setup is a simple forward-zone; I ask unbound and unbound
asks ttdnsd:

forward-zone:
  name: "."
  forward-addr: 127.0.0.2

Now I'm trying to get dnssec working but I've run in to some problems.

The auto-trust-anchor-file (root.key in this case) has been successfully
updated but:

$ dig com. SOA +dnssec @127.0.0.1

doesn't set the AD flags in the response. Instead I get the following in
my logfile:

"validation failure <com. SOA IN>: key for validation com. is marked as
invalid because of a previous validation failure <com. SOA IN>:
signatures from unknown keys from 127.0.0.2 for DS com. while building
chain of trust".

Querying ttdnsd with:

$ dig com. SOA +dnssec @127.0.0.2

Gives me a SOA and RRSIG record back (but no AD).

I'm guessing this is because ttdnsd doesn't support validating dnssec
queries.

Since I trust the local instance of ttdnsd - is there any way to "skip"
that part of the validation chain and transparently "tunnel" through it?

Best regards,
Anders