-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Beeblebrox,
On 02/24/2014 12:37 PM, Beeblebrox wrote: > I'm using Unbound for recursive caching (serving internal network). > I would like to use DNSSEC and also encrypt the outbound traffic, > but I have doubts about foloowing: > > * Unbound does not support encryption natively (from own code > base) AFAIK. I have come across two methods to encrypt DNS traffic: > TOR and DNSCrypt. Are there any other alternatives? You would need answers from other member of this mailing list for that. ssl-upstream is one option, but it needs an upstream resolver that performs this weird style of encryption (i.e. another unbound). > * Will DNSSEC be disabled when using any encryption method or if > the DNS query is forwarded to listening daemon (like > TOR/DNSCrypt)? No, dnssec can work if enabled. > * When forwarding to a locally listening daemon, > "do-not-query-localhost: no" must be enabled for forwarding to > work. Is this a security risk? It is there as a second-order-mitigation for certain self-recursion exploits. But if you disable it I would consider it no security risk. > * Does one specify a forward-zone when using DNSSEC, or is it left > up to Unbound to decide (or maybe either method is acceptable)? I > think without forward-zone, Unbound just uses the list from > root.hints? This is independent from DNSSEC. You will have to set the forward-zone to forward to another place, if you want. Otherwise it uses the root.hints. > * I have setup DNSSEC using the unbound-anchor command, and > root.key shows date as: Feb 1 15:12:15 2014. Tests show however, > that server is NOT using DNSSEC. Debug is set to verbosity: 4, and > log shows no errors. All files in /var/unbound are owned by > unbound:unbound with exception of unbound.conf. You (most likely I think) have not configured auto-trust-anchor-file: "/var/unbound/root.key" in unbound.conf. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTCzoLAAoJEJ9vHC1+BF+NTQkP/RA72BirABjtnz4qhT9GiWx+ r7P7aJt/HeoByQB+kqqXFZpUE54RvCccvkZ7yeSj25SSCwnLEB4XMPf9roSMX7Qf ymToMVsYLD6P2IBx4dV73xHWcnDSEUP1Os0Fs905mQKUYDAx036YMvGBeouYunU4 TwWf3KaLKX9EmnCsdAqsOXxVnOhNLQq0KNFQGSf5gqviNMqr8xQXRRDRQ/w4QSST u9peLJAJFWXbymvFCDoOEeFKq+k42bFpTphfF7QPMHOfQftMGCkU4njLoSsdswdA 9Z81BDxEOi7bopDohVRtjOGhZJtv5ZiKf63mHFWD4uIidfolnIucPmuuAbfe/vqp MUVEDhq8HgE+EtHunDO6kKWWwFHSN0hQonAINK20EuZv3evMjHRWWmxkWu+oxhYN uDsACjwXKalTUpDiuGjsz6bsRXKGw8CGyCje4EAXM/iKFo7yXfWEg6wYNLWbDeS3 3HxMXPVYX86BsbjliHrEuShZOKmdRg8EUOg2fPd8VWj3Dul+JeTKielZRfWYJmXB +iUXQhBp7b/k4NLy9B5E/88UPk3BqC58hgMR+CBntNN4Xa+6pTCyvkmJePHLplzu VmfGNcpTs1UePwT937M7dINtmYZoZRyK1tn4Sjq9uIp4aI15i08PYYpLHwpoWV9M H1R9haEfkG1hCjPL8HNk =2fKq -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
