Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Mon Feb 24 12:37:35 CET 2014

I'm using Unbound for recursive caching (serving internal network). I
would like to use DNSSEC and also encrypt the outbound traffic, but I
have doubts about foloowing:

* Unbound does not support encryption natively (from own code base)
AFAIK. I have come across two methods to encrypt DNS traffic: TOR and
DNSCrypt. Are there any other alternatives?
* Will DNSSEC be disabled when using any encryption method or if the
DNS query is forwarded to listening daemon (like TOR/DNSCrypt)?
* When forwarding to a locally listening daemon,
"do-not-query-localhost: no" must be enabled for forwarding to work.
Is this a security risk?
* Does one specify a forward-zone when using DNSSEC, or is it left up
to Unbound to decide (or maybe either method is acceptable)? I think
without forward-zone, Unbound just uses the list from root.hints?
* I have setup DNSSEC using the unbound-anchor command, and root.key
shows date as: Feb  1 15:12:15 2014. Tests show however, that server
is NOT using DNSSEC. Debug is set to  verbosity: 4, and log shows no
errors. All files in /var/unbound are owned by unbound:unbound with
exception of unbound.conf.