Beeblebrox <zaphod at berentweb.com> wrote: > It seems I finally figured out using dnscrypt + unbound + DNSSEC: > * Stop Unbound and specify the dnscrypt-proxy IP:port as "forward-addr" in > unbound.conf > * Start dnscrypt-proxy with below, where provider-key / provider-name is > whatever you choose from http://dnscrypt.org. For example: > dnscrypt_proxy_flags="-d -a <listen-ip>:port --provider-key > 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 > --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address= > 22.214.171.124:443" > * Now re-run: # unbound-anchor -a "/var/unbound/root.key", which will > refresh/reset the root.key to signature of forward-addr, which in turn is > the dnscrypt-proxy signature given when we started dnscrypt. Is there some re-signing going on? DNSSEC is supposed to be end-to-end so the same root trust anchor should work regardless of where the DNS data comes from. Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Viking, North Utsire, South Utsire: Southerly or southwesterly, becoming cyclonic for a time in Viking, 5 to 7, perhaps gale 8 later, decreasing 4 for a time. Moderate or rough. Occasional rain. Moderate or poor.