[Unbound-users] "Tunnel" dnssec through local forward-zone?
Anders Sundman
anders at 4zm.org
Mon Jul 25 16:40:52 UTC 2011
Hello,
I'm running unbound locally on 127.0.0.1 and a DNS TCP proxy (ttdnsd) on
127.0.0.2. The setup is a simple forward-zone; I ask unbound and unbound
asks ttdnsd:
forward-zone:
name: "."
forward-addr: 127.0.0.2
Now I'm trying to get dnssec working but I've run in to some problems.
The auto-trust-anchor-file (root.key in this case) has been successfully
updated but:
$ dig com. SOA +dnssec @127.0.0.1
doesn't set the AD flags in the response. Instead I get the following in
my logfile:
"validation failure <com. SOA IN>: key for validation com. is marked as
invalid because of a previous validation failure <com. SOA IN>:
signatures from unknown keys from 127.0.0.2 for DS com. while building
chain of trust".
Querying ttdnsd with:
$ dig com. SOA +dnssec @127.0.0.2
Gives me a SOA and RRSIG record back (but no AD).
I'm guessing this is because ttdnsd doesn't support validating dnssec
queries.
Since I trust the local instance of ttdnsd - is there any way to "skip"
that part of the validation chain and transparently "tunnel" through it?
Best regards,
Anders
More information about the Unbound-users
mailing list