Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 09 Nov 2014 04:10:34 -0400
From:      Joseph Mingrone <jrm@ftfl.ca>
To:        freebsd-questions@freebsd.org
Subject:   Re: local_unbound and dnscrypt-proxy
Message-ID:  <86tx28ssjp.fsf@gly.ftfl.ca>
References:  <86lhnup5l3.fsf@gly.ftfl.ca> <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com> <1415379352984-5963426.post@n5.nabble.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Beeblebrox <zaphod@berentweb.com> writes:
Hello Beeblebrox,

> There are several issues here:
>
> 1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't
> know why, but both port maintainer and software developer seem to not have
> taken the issue seriously. For now, disable in unbound.conf:
> # auto-trust-anchor-file: "/var/unbound/root.key"
> I'm going to re-open the issue I had filed about this on github.

That was it.  When I commented out

auto-trust-anchor-file: /var/unbound/root.key

from /var/unbound/unbound.conf it worked.  Below is my configuration in
case it helps anyone.

One issue is that when the system is booting up, things like ntpd and
bsdstats time out.  I guess this is because resolving doesn't work until
dnscrypt-proxy has started.  When I change the nameserver entry in
/etc/resolv.conf to 8.8.8.8, those processes don't time out.

Thanks,

Joseph

/etc/rc.conf

dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.2 -d -R opennic-ca-ns4"
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
local_unbound_enable="YES"

/var/unbound/unbound.conf

server:
	#auto-trust-anchor-file: /var/unbound/root.key
	directory: /var/unbound
	do-not-query-localhost: no
	chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        username: unbound
	use-syslog: yes
	verbosity: 1

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/conf.d/*.conf

/var/unbound/forward.conf

forward-zone:
	name: "."
	forward-addr: 127.0.0.2@53

/etc/resolve.conf

search ftfl.ca
nameserver 127.0.0.1
options edns0





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86tx28ssjp.fsf>