Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Tony Finch
Thu Mar 6 14:48:59 CET 2014

Beeblebrox <zaphod at> wrote:

> It seems I finally figured out using dnscrypt + unbound + DNSSEC:
> * Stop Unbound and specify the dnscrypt-proxy IP:port as "forward-addr" in
> unbound.conf
> * Start dnscrypt-proxy with below, where provider-key / provider-name is
> whatever you choose from For example:
> dnscrypt_proxy_flags="-d -a <listen-ip>:port --provider-key
> 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
> --resolver-address=
> * Now re-run: # unbound-anchor -a "/var/unbound/root.key", which will
> refresh/reset the root.key to signature of forward-addr, which in turn is
> the dnscrypt-proxy signature given when we started dnscrypt.

Is there some re-signing going on? DNSSEC is supposed to be end-to-end so
the same root trust anchor should work regardless of where the DNS data
comes from.

f.anthony.n.finch  <dot at>
Viking, North Utsire, South Utsire: Southerly or southwesterly, becoming
cyclonic for a time in Viking, 5 to 7, perhaps gale 8 later, decreasing 4 for
a time. Moderate or rough. Occasional rain. Moderate or poor.