Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Beeblebrox
Mon Feb 24 13:52:29 CET 2014


Hi Wouter. Thanks for your explanation.

For the dnssec not-enabled problem, my unbound.conf has that file
enabled. Other settings (edited to save space). Currently no
forward-zoned defined
port: 53 \ do-ip4: yes \ do-ip6: no \ do-udp: yes \ do-tcp: yes
root-hints: "/var/unbound/root.hints"
hide-identity: yes \ hide-version: yes
harden-dnssec-stripped: yes \ harden-short-bufsize: yes \
harden-large-queries: yes
auto-trust-anchor-file: "/var/unbound/root.key" \ val-clean-additional: yes
------------------------
drill com. SOA +dnssec
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56264
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: \ ;; +dnssec. IN SOA
;; ANSWER SECTION:
;; AUTHORITY SECTION:  86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2014022400 1800 900 604800 86400
-----------------------

Also, if I set "include: /var/unbound/ad_servers" in unbound.conf is
breaking the server start-up for some reason. The file has parsed list
from yoyo-ad-servers, in the form:
local-zone: "101com.com" redirect
local-data: "101com.com A 127.0.0.1"    ...etc
What's the correct syntax for "include"?

Regards.