[Unbound-users] DNSSEC and traffic encryption questions
wouter at nlnetlabs.nl
Mon Feb 24 13:24:47 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 02/24/2014 12:37 PM, Beeblebrox wrote:
> I'm using Unbound for recursive caching (serving internal network).
> I would like to use DNSSEC and also encrypt the outbound traffic,
> but I have doubts about foloowing:
> * Unbound does not support encryption natively (from own code
> base) AFAIK. I have come across two methods to encrypt DNS traffic:
> TOR and DNSCrypt. Are there any other alternatives?
You would need answers from other member of this mailing list for
that. ssl-upstream is one option, but it needs an upstream resolver
that performs this weird style of encryption (i.e. another unbound).
> * Will DNSSEC be disabled when using any encryption method or if
> the DNS query is forwarded to listening daemon (like
No, dnssec can work if enabled.
> * When forwarding to a locally listening daemon,
> "do-not-query-localhost: no" must be enabled for forwarding to
> work. Is this a security risk?
It is there as a second-order-mitigation for certain self-recursion
exploits. But if you disable it I would consider it no security risk.
> * Does one specify a forward-zone when using DNSSEC, or is it left
> up to Unbound to decide (or maybe either method is acceptable)? I
> think without forward-zone, Unbound just uses the list from
This is independent from DNSSEC. You will have to set the
forward-zone to forward to another place, if you want. Otherwise it
uses the root.hints.
> * I have setup DNSSEC using the unbound-anchor command, and
> root.key shows date as: Feb 1 15:12:15 2014. Tests show however,
> that server is NOT using DNSSEC. Debug is set to verbosity: 4, and
> log shows no errors. All files in /var/unbound are owned by
> unbound:unbound with exception of unbound.conf.
You (most likely I think) have not configured auto-trust-anchor-file:
"/var/unbound/root.key" in unbound.conf.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users