Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Paul Wouters
Mon Jul 25 20:38:52 CEST 2011

On Mon, 25 Jul 2011, Jacob Appelbaum wrote:

> I don't know about his config - but we plan that ttdnsd will ask Tor for
> answers that Tor can answer - those answers are the most safe to use
> over Tor. Then the other queries will go upstream and out to an upstream
> server such as or wherever.

ttdnsd is just a transport relay for dns over tcp with no real knowledge of
DNS(SEC). It would be much better to use a DNSSEC aware nameserver, so avoid
needing to rely on Tor Nodes or directory servers. Not to say the least about
trustig google(!!!) of all places with anonymity.

> As far as I know, no one will ever add the first mode to unbound and the
> second one is untested. That is why people use ttdnsd. If unbounded
> becomes Tor aware, I'd be happy to never use ttdnsd again. :)

I have no idea about what "first" and "second" mode you are talking about.


>> Try this unbound patch, and set unbound to use tcp only in unbound.conf
>> using
>> do-udp:no and do-tcp:yes.
>> I've sent this to the tor people before, but they haven't gotten back to me
>> with test results. If we have positive results, we might be able to
>> convince
>> Wouter to make the below patch a runtime option.
> Yes, I haven't yet applied this patch to test it. It's in my queue.
> All the best,
> Jake