Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Beeblebrox
Wed Feb 26 15:23:58 CET 2014


Thank you for your reply.

It occurred to me when reading your message, that I'm actually using two keys:
1. var/unbound/root.key, which was generated by unbound-anchor
2. The key that dnscrypt-proxy needs to use, which is envoked by:
--provider-key 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
--provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu
--resolver-address=176.56.237.171:443"

I'm getting mixed results with this chain when dnssec is enabled - it
works ok for a while then seems to phase out. Some DNS queries return
empty string, while 1/2 hour ago the query returned normally. Not the
case when NOT using dnssec.

* Can the fluctuating performance of my setup be attributed to the
fact that two separate keys are being used? Shouldn't I be using just
one key?
* When doing drill -k, which key should I reference? root.key or
provider-key that dnscrypt-proxy is using?  =>

$ drill -k var/unbound/root.key -TD com. SOA
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 33655 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .    172800    IN    DNSKEY    <numbers> ; {id = 33655 (zsk),
size = 1024b}
Trusted key: .    172800    IN    DNSKEY    <numbers> ;{id = 19036
(ksk), size = 2048b}
Trusted key: .    172800    IN    DNSKEY    <numbers> ;{id = 33655
(zsk), size = 1024b}
Key is now trusted!
Trusted key: .    172800    IN    <numbers> ;{id = 19036 (ksk), size = 2048b}
[T] com. 86400 IN DS 30909 8 2
e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
[B] ;; Error verifying denial of existence for name com.NS: No DNSSEC
signature(s)