Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Paul Wouters
Mon Jul 25 19:50:11 CEST 2011

On Mon, 25 Jul 2011, Anders Sundman wrote:

> I'm running unbound locally on and a DNS TCP proxy (ttdnsd) on
> The setup is a simple forward-zone; I ask unbound and unbound
> asks ttdnsd:
> forward-zone:
>  name: "."
>  forward-addr:

> Now I'm trying to get dnssec working but I've run in to some problems.

Why are you doing this? unbound can do queries using just tcp per default, so you
do not need to use ttdnsd. I assume you're trying to proxy dns to an anonymiser
network like tor?

Try this unbound patch, and set unbound to use tcp only in unbound.conf using
do-udp:no and do-tcp:yes.

I've sent this to the tor people before, but they haven't gotten back to me
with test results. If we have positive results, we might be able to convince
Wouter to make the below patch a runtime option.

Index: daemon/worker.c
- --- daemon/worker.c   (revision 2279)
+++ daemon/worker.c     (working copy)
@@ -1090,7 +1090,7 @@
                 worker->daemon->env->infra_cache, worker->rndstate,
                 cfg->use_caps_bits_for_id, worker->ports, worker->numports,
                 cfg->unwanted_threshold, &worker_alloc_cleanup, worker,
- -             cfg->do_udp);
+               0);
         if(!worker->back) {
                 log_err("could not create outgoing sockets");