Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Beeblebrox
Mon Feb 24 15:37:04 CET 2014


Leen: Thanks for the tip. It still would not start, then I deleted
most of the entries in the included file, leaving 15 or so records in
it. Unbound then started correctly. Apparently there was entry in the
file that Unbound disliked.  I wish it would have complained instead
of dying silently. (verbose is now 5)

> There is not currently any common way to encrypt DNS.
(Tony) - well then, it's dnscrypt / tor until encryption becomes available.
I have dnscrypt working and Unbound correctly forwardS to that. I do
want to get tor-dns working as well however, specially since socks-5
has a dns-listener on 9053 (udp). I tried as below, but it did not
work probably because Unbound used tcp? Is there a way to inform
Unbound that the forward should be udp?
 forward-addr: 192.168.2.xx at 9053

Back to the DNSSEC issue. Debug output for Unbound start-up below. Is
there any verbose output I can provide?
setup SSL certificates
chdir to /var/unbound
drop user privileges, run as unbound
module config: "validator iterator"
reading autotrust anchor file /var/unbound/root.key
validator nsec3cfg keysz 1024 mxiter 150
validator nsec3cfg keysz 2048 mxiter 500
validator nsec3cfg keysz 4096 mxiter 2500
target fetch policy for level 0 is 3
target fetch policy for level 1 is 2
target fetch policy for level 2 is 1
target fetch policy for level 3 is 0
target fetch policy for level 4 is 0
total of 59567 outgoing ports available
start threads
vent mini-event-1.4.20 uses not_obtainable method.
Reading root hints from /var/unbound/root.hints
    ip6 2001:dc3::35 port 53 (len 28)
    ip4 202.12.27.33 port 53 (len 16)
    ip6 2001:500:3::42 port 53 (len 28)
    ip4 199.7.83.42 port 53 (len 16)
    ip6 2001:7fd::1 port 53 (len 28)
    ip4 193.0.14.129 port 53 (len 16)
    ip6 2001:503:c27::2:30 port 53 (len 28)
    ip4 192.58.128.30 port 53 (len 16)
    ip6 2001:7fe::53 port 53 (len 28)
    ip4 192.36.148.17 port 53 (len 16)
    ip6 2001:500:1::803f:235 port 53 (len 28)
    ip4 128.63.2.53 port 53 (len 16)
    ip4 192.112.36.4 port 53 (len 16)
    ip6 2001:500:2f::f port 53 (len 28)
    ip4 192.5.5.241 port 53 (len 16)
    ip4 192.203.230.10 port 53 (len 16)
    ip6 2001:500:2d::d port 53 (len 28)
    ip4 199.7.91.13 port 53 (len 16)
    ip4 192.33.4.12 port 53 (len 16)
    ip4 192.228.79.201 port 53 (len 16)
    ip6 2001:503:ba3e::2:30 port 53 (len 28)
    ip4 198.41.0.4 port 53 (len 16)
cache memory msg=66072 rrset=66072 infra=2600 val=66280
autotrust probe timer callback