[Unbound-users] DNSSEC and traffic encryption questions
zaphod at berentweb.com
Mon Feb 24 16:31:08 CET 2014
> unbound-checkconf is your friend
Thank you Jaap. The error was "duplicate zone entry" which checkconf
showed, and was corrected.
The dnssec check at http://dnssectest.sidnlabs.nl/test.php shows
Permissive mode detected: Your DNSSEC is configured in "permissive
mode" (or you use a combination of validating- and non-validating
resolvers) and as such you are not protected.
I don't have "dnssec-accept-expired" or "val-permissive-mode" set in
the config file, and google did not turn up much else. I don't imagine
any "private-address" entry to cause permissive diagnosis.
One final thought: I have Unbound (and dnscrypt-proxy) running in a
FreeBSD jail that has devfs mounted but nothing else. Jail rules do
not allow the likes of "creating raw sockets" from inside the jail.
Are there any special socket/devfs requirements for dnssec that are
apart from the requirements for Unbound to run properly? Since Unbound
is in a jail, no need for chroot ( chroot: "" )
More information about the Unbound-users