On 07/26/2011 06:41 AM, Paul Wouters wrote: > > The easiest integration would be to configure unbound with a forwarder > for > 127.0.0.1 XXX where XXX would lead into a tor virtual circuit to google's > 8.8.8.8 open resolver (that supports dnssec). tor could frequently change
Hi Paul, Are you sure 8.8.8.8 supports DNSSEC ? Because than I would have expected this to work: $ cat /etc/resolv.conf nameserver 8.8.8.8 $ ./unbound-host -h | grep Version # with ldns-1.6.10 and only one configure option: --disable-gost Version 1.4.12 $ ./unbound-host -r -d -vy '. DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5' cz -t DS [1311679359] libunbound[32251:0] notice: init module 0: validator [1311679359] libunbound[32251:0] notice: init module 1: iterator [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: response for cz. DS IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was nodata ANSWER [1311679359] libunbound[32251:0] info: prime trust anchor [1311679359] libunbound[32251:0] info: resolving . DNSKEY IN [1311679359] libunbound[32251:0] info: response for . DNSKEY IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was ANSWER [1311679359] libunbound[32251:0] info: validate keys with anchor(DS): sec_status_secure [1311679359] libunbound[32251:0] info: Successfully primed trust anchor . DNSKEY IN [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: response for cz. DS IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was nodata ANSWER [1311679359] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: response for cz. DS IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was nodata ANSWER [1311679359] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: response for cz. DS IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was nodata ANSWER [1311679359] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679359] libunbound[32251:0] info: response for cz. DS IN [1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679359] libunbound[32251:0] info: query response was nodata ANSWER [1311679359] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679359] libunbound[32251:0] info: resolving cz. DS IN [1311679360] libunbound[32251:0] info: response for cz. DS IN [1311679360] libunbound[32251:0] info: reply from <.> 8.8.8.8#53 [1311679360] libunbound[32251:0] info: query response was nodata ANSWER [1311679360] libunbound[32251:0] info: NSEC3s for the referral did not prove no DS. [1311679360] libunbound[32251:0] info: Could not establish a chain of trust to keys for cz. DNSKEY IN cz has no DS record (BOGUS (security failure)) validation failure <cz. DS IN>: no signatures with algorithm RSASHA256 from 8.8.8.8 for DS cz. while building chain of trust _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
