[Unbound-users] Not sure if and why DNSSEC not working

Michael Van Der Beek michael.van at antlabs.com
Tue Jun 24 10:49:43 UTC 2014

Hi Beelbebrox,

I think the necessary steps are

1) unbound-anchor -a /var/unbound/root.key
2) fetch ftp://ftp.internic.net/domain/named.cache and save the file as root.hints
3) fetch http://ftp.isc.org/www/dlv/dlv.isc.org.key and setup the configuration in your unbound.conf
        dlv-anchor-file: "/var/unbound/dlv.isc.org.key"

Now restart unbound.

That should make it work. I had the same problem.

Dlv is necessary as many top domains are not signed yet, so users have to use dlv as an alternative signatory. 


-----Original Message-----
From: Unbound-users [mailto:unbound-users-bounces at unbound.net] On Behalf Of Beeblebrox
Sent: Tuesday, 24 June, 2014 5:12 PM
Cc: unbound-users at unbound.net
Subject: Re: [Unbound-users] Not sure if and why DNSSEC not working

I'm stuck on how to debug this.
Are there any other tests I can run so as to find what's happening on my end?

My unbound.conf is below and may have some "UNusual settings" with regards to That's because normally dnscrypt-proxy is running inside the same FreeBSD jail (VM) and unbound should forward queries to it as a forward zone.

  verbosity: 3
  chroot: ""

    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    root-hints: "/var/unbound/root.hints"
    auto-trust-anchor-file: "/var/unbound/root.key"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    unwanted-reply-threshold: 10000
    val-clean-additional: yes
    use-caps-for-id: yes
    cache-min-ttl: 43200
    cache-max-ttl: 172800
    prefetch: yes
    prefetch-key: yes

    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    rrset-cache-size: 32m
    msg-cache-size: 16m


#   private-address:  - breaks dnscrypt-proxy
    do-not-query-localhost: no

#   Disabled_for_DNSSEC_debuging
#   forward-zone:
#   name: "."
#   forward-addr: 192.168.2.xx at 9040 #_setting at 9040 does not
work for some odd reason.
Unbound-users mailing list
Unbound-users at unbound.net

More information about the Unbound-users mailing list