[Unbound-users] DNSSEC and traffic encryption questions
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon Feb 24 12:24:47 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Beeblebrox,
On 02/24/2014 12:37 PM, Beeblebrox wrote:
> I'm using Unbound for recursive caching (serving internal network).
> I would like to use DNSSEC and also encrypt the outbound traffic,
> but I have doubts about foloowing:
>
> * Unbound does not support encryption natively (from own code
> base) AFAIK. I have come across two methods to encrypt DNS traffic:
> TOR and DNSCrypt. Are there any other alternatives?
You would need answers from other member of this mailing list for
that. ssl-upstream is one option, but it needs an upstream resolver
that performs this weird style of encryption (i.e. another unbound).
> * Will DNSSEC be disabled when using any encryption method or if
> the DNS query is forwarded to listening daemon (like
> TOR/DNSCrypt)?
No, dnssec can work if enabled.
> * When forwarding to a locally listening daemon,
> "do-not-query-localhost: no" must be enabled for forwarding to
> work. Is this a security risk?
It is there as a second-order-mitigation for certain self-recursion
exploits. But if you disable it I would consider it no security risk.
> * Does one specify a forward-zone when using DNSSEC, or is it left
> up to Unbound to decide (or maybe either method is acceptable)? I
> think without forward-zone, Unbound just uses the list from
> root.hints?
This is independent from DNSSEC. You will have to set the
forward-zone to forward to another place, if you want. Otherwise it
uses the root.hints.
> * I have setup DNSSEC using the unbound-anchor command, and
> root.key shows date as: Feb 1 15:12:15 2014. Tests show however,
> that server is NOT using DNSSEC. Debug is set to verbosity: 4, and
> log shows no errors. All files in /var/unbound are owned by
> unbound:unbound with exception of unbound.conf.
You (most likely I think) have not configured auto-trust-anchor-file:
"/var/unbound/root.key" in unbound.conf.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTCzoLAAoJEJ9vHC1+BF+NTQkP/RA72BirABjtnz4qhT9GiWx+
r7P7aJt/HeoByQB+kqqXFZpUE54RvCccvkZ7yeSj25SSCwnLEB4XMPf9roSMX7Qf
ymToMVsYLD6P2IBx4dV73xHWcnDSEUP1Os0Fs905mQKUYDAx036YMvGBeouYunU4
TwWf3KaLKX9EmnCsdAqsOXxVnOhNLQq0KNFQGSf5gqviNMqr8xQXRRDRQ/w4QSST
u9peLJAJFWXbymvFCDoOEeFKq+k42bFpTphfF7QPMHOfQftMGCkU4njLoSsdswdA
9Z81BDxEOi7bopDohVRtjOGhZJtv5ZiKf63mHFWD4uIidfolnIucPmuuAbfe/vqp
MUVEDhq8HgE+EtHunDO6kKWWwFHSN0hQonAINK20EuZv3evMjHRWWmxkWu+oxhYN
uDsACjwXKalTUpDiuGjsz6bsRXKGw8CGyCje4EAXM/iKFo7yXfWEg6wYNLWbDeS3
3HxMXPVYX86BsbjliHrEuShZOKmdRg8EUOg2fPd8VWj3Dul+JeTKielZRfWYJmXB
+iUXQhBp7b/k4NLy9B5E/88UPk3BqC58hgMR+CBntNN4Xa+6pTCyvkmJePHLplzu
VmfGNcpTs1UePwT937M7dINtmYZoZRyK1tn4Sjq9uIp4aI15i08PYYpLHwpoWV9M
H1R9haEfkG1hCjPL8HNk
=2fKq
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list