Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Mon Feb 24 16:31:08 CET 2014

> unbound-checkconf is your friend
Thank you Jaap. The error was "duplicate zone entry" which checkconf
showed, and was corrected.

The dnssec check at shows
Permissive mode detected:  Your DNSSEC is configured in "permissive
mode" (or you use a combination of validating- and non-validating
resolvers) and as such you are not protected.

I don't have "dnssec-accept-expired" or "val-permissive-mode" set in
the config file, and google did not turn up much else. I don't imagine
any "private-address" entry to cause permissive diagnosis.

One final thought: I have Unbound (and dnscrypt-proxy) running in a
FreeBSD jail that has devfs mounted but nothing else. Jail rules do
not allow the likes of "creating raw sockets"  from inside the jail.
Are there any special socket/devfs requirements for dnssec that are
apart from the requirements for Unbound to run properly? Since Unbound
is in a jail, no need for chroot ( chroot: "" )