Maintained by: NLnet Labs

[Unbound-users] Not sure if and why DNSSEC not working

Beeblebrox
Tue Jun 24 11:11:41 CEST 2014


I'm stuck on how to debug this.
Are there any other tests I can run so as to find what's happening on
my end?

My unbound.conf is below and may have some "UNusual settings" with
regards to 127.0.0.1. That's because normally dnscrypt-proxy is
running inside the same FreeBSD jail (VM) and unbound should forward
queries to it as a forward zone.

unbound.conf:
server:
  verbosity: 3
  chroot: ""

    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    root-hints: "/var/unbound/root.hints"
    auto-trust-anchor-file: "/var/unbound/root.key"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    unwanted-reply-threshold: 10000
    val-clean-additional: yes
    use-caps-for-id: yes
    cache-min-ttl: 43200
    cache-max-ttl: 172800
    prefetch: yes
    prefetch-key: yes

    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    rrset-cache-size: 32m
    msg-cache-size: 16m

    private-address: 192.168.1.0/24
    private-address: 192.168.2.0/24

#   private-address: 127.0.1.0/28  - breaks dnscrypt-proxy
    do-not-query-localhost: no

#   Disabled_for_DNSSEC_debuging
#   forward-zone:
#   name: "."
#   forward-addr: 192.168.2.xx at 9040 #_setting 127.0.0.1 at 9040 does not
work for some odd reason.
/EOF
-- 
FreeBSD_amd64_11-Current_RadeonKMS