Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

W.C.A. Wijngaards
Mon Feb 24 13:24:47 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Beeblebrox,

On 02/24/2014 12:37 PM, Beeblebrox wrote:
> I'm using Unbound for recursive caching (serving internal network).
> I would like to use DNSSEC and also encrypt the outbound traffic,
> but I have doubts about foloowing:
> 
> * Unbound does not support encryption natively (from own code
> base) AFAIK. I have come across two methods to encrypt DNS traffic:
> TOR and DNSCrypt. Are there any other alternatives?

You would need answers from other member of this mailing list for
that.  ssl-upstream is one option, but it needs an upstream resolver
that performs this weird style of encryption (i.e. another unbound).

> * Will DNSSEC be disabled when using any encryption method or if
> the DNS query is forwarded to listening daemon (like
> TOR/DNSCrypt)?

No, dnssec can work if enabled.

> * When forwarding to a locally listening daemon, 
> "do-not-query-localhost: no" must be enabled for forwarding to
> work. Is this a security risk?

It is there as a second-order-mitigation for certain self-recursion
exploits.  But if you disable it I would consider it no security risk.

> * Does one specify a forward-zone when using DNSSEC, or is it left
> up to Unbound to decide (or maybe either method is acceptable)? I
> think without forward-zone, Unbound just uses the list from
> root.hints?

This is independent from DNSSEC.  You will have to set the
forward-zone to forward to another place, if you want.  Otherwise it
uses the root.hints.

> * I have setup DNSSEC using the unbound-anchor command, and
> root.key shows date as: Feb  1 15:12:15 2014. Tests show however,
> that server is NOT using DNSSEC. Debug is set to  verbosity: 4, and
> log shows no errors. All files in /var/unbound are owned by
> unbound:unbound with exception of unbound.conf.

You (most likely I think) have not configured auto-trust-anchor-file:
"/var/unbound/root.key" in unbound.conf.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTCzoLAAoJEJ9vHC1+BF+NTQkP/RA72BirABjtnz4qhT9GiWx+
r7P7aJt/HeoByQB+kqqXFZpUE54RvCccvkZ7yeSj25SSCwnLEB4XMPf9roSMX7Qf
ymToMVsYLD6P2IBx4dV73xHWcnDSEUP1Os0Fs905mQKUYDAx036YMvGBeouYunU4
TwWf3KaLKX9EmnCsdAqsOXxVnOhNLQq0KNFQGSf5gqviNMqr8xQXRRDRQ/w4QSST
u9peLJAJFWXbymvFCDoOEeFKq+k42bFpTphfF7QPMHOfQftMGCkU4njLoSsdswdA
9Z81BDxEOi7bopDohVRtjOGhZJtv5ZiKf63mHFWD4uIidfolnIucPmuuAbfe/vqp
MUVEDhq8HgE+EtHunDO6kKWWwFHSN0hQonAINK20EuZv3evMjHRWWmxkWu+oxhYN
uDsACjwXKalTUpDiuGjsz6bsRXKGw8CGyCje4EAXM/iKFo7yXfWEg6wYNLWbDeS3
3HxMXPVYX86BsbjliHrEuShZOKmdRg8EUOg2fPd8VWj3Dul+JeTKielZRfWYJmXB
+iUXQhBp7b/k4NLy9B5E/88UPk3BqC58hgMR+CBntNN4Xa+6pTCyvkmJePHLplzu
VmfGNcpTs1UePwT937M7dINtmYZoZRyK1tn4Sjq9uIp4aI15i08PYYpLHwpoWV9M
H1R9haEfkG1hCjPL8HNk
=2fKq
-----END PGP SIGNATURE-----