Hello, I'm running unbound locally on 127.0.0.1 and a DNS TCP proxy (ttdnsd) on 127.0.0.2. The setup is a simple forward-zone; I ask unbound and unbound asks ttdnsd:
forward-zone: name: "." forward-addr: 127.0.0.2 Now I'm trying to get dnssec working but I've run in to some problems. The auto-trust-anchor-file (root.key in this case) has been successfully updated but: $ dig com. SOA +dnssec @127.0.0.1 doesn't set the AD flags in the response. Instead I get the following in my logfile: "validation failure <com. SOA IN>: key for validation com. is marked as invalid because of a previous validation failure <com. SOA IN>: signatures from unknown keys from 127.0.0.2 for DS com. while building chain of trust". Querying ttdnsd with: $ dig com. SOA +dnssec @127.0.0.2 Gives me a SOA and RRSIG record back (but no AD). I'm guessing this is because ttdnsd doesn't support validating dnssec queries. Since I trust the local instance of ttdnsd - is there any way to "skip" that part of the validation chain and transparently "tunnel" through it? Best regards, Anders _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
