> unbound-checkconf is your friend Thank you Jaap. The error was "duplicate zone entry" which checkconf showed, and was corrected.
The dnssec check at http://dnssectest.sidnlabs.nl/test.php shows Permissive mode detected: Your DNSSEC is configured in "permissive mode" (or you use a combination of validating- and non-validating resolvers) and as such you are not protected. I don't have "dnssec-accept-expired" or "val-permissive-mode" set in the config file, and google did not turn up much else. I don't imagine any "private-address" entry to cause permissive diagnosis. One final thought: I have Unbound (and dnscrypt-proxy) running in a FreeBSD jail that has devfs mounted but nothing else. Jail rules do not allow the likes of "creating raw sockets" from inside the jail. Are there any special socket/devfs requirements for dnssec that are apart from the requirements for Unbound to run properly? Since Unbound is in a jail, no need for chroot ( chroot: "" ) _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
