Hi Beelbebrox, I think the necessary steps are
1) unbound-anchor -a /var/unbound/root.key 2) fetch ftp://ftp.internic.net/domain/named.cache and save the file as root.hints 3) fetch http://ftp.isc.org/www/dlv/dlv.isc.org.key and setup the configuration in your unbound.conf dlv-anchor-file: "/var/unbound/dlv.isc.org.key" Now restart unbound. That should make it work. I had the same problem. Dlv is necessary as many top domains are not signed yet, so users have to use dlv as an alternative signatory. Regards, Michael -----Original Message----- From: Unbound-users [mailto:[email protected]] On Behalf Of Beeblebrox Sent: Tuesday, 24 June, 2014 5:12 PM Cc: [email protected] Subject: Re: [Unbound-users] Not sure if and why DNSSEC not working I'm stuck on how to debug this. Are there any other tests I can run so as to find what's happening on my end? My unbound.conf is below and may have some "UNusual settings" with regards to 127.0.0.1. That's because normally dnscrypt-proxy is running inside the same FreeBSD jail (VM) and unbound should forward queries to it as a forward zone. unbound.conf: server: verbosity: 3 chroot: "" interface: 127.0.0.1 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes root-hints: "/var/unbound/root.hints" auto-trust-anchor-file: "/var/unbound/root.key" hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes harden-short-bufsize: yes harden-large-queries: yes unwanted-reply-threshold: 10000 val-clean-additional: yes use-caps-for-id: yes cache-min-ttl: 43200 cache-max-ttl: 172800 prefetch: yes prefetch-key: yes num-threads: 1 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 rrset-cache-size: 32m msg-cache-size: 16m private-address: 192.168.1.0/24 private-address: 192.168.2.0/24 # private-address: 127.0.1.0/28 - breaks dnscrypt-proxy do-not-query-localhost: no # Disabled_for_DNSSEC_debuging # forward-zone: # name: "." # forward-addr: 192.168.2.xx@9040 #_setting 127.0.0.1@9040 does not work for some odd reason. /EOF -- FreeBSD_amd64_11-Current_RadeonKMS _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
