local_unbound and dnscrypt-proxy
Joseph Mingrone
jrm at ftfl.ca
Sun Nov 9 08:10:58 UTC 2014
Beeblebrox <zaphod at berentweb.com> writes:
Hello Beeblebrox,
> There are several issues here:
>
> 1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't
> know why, but both port maintainer and software developer seem to not have
> taken the issue seriously. For now, disable in unbound.conf:
> # auto-trust-anchor-file: "/var/unbound/root.key"
> I'm going to re-open the issue I had filed about this on github.
That was it. When I commented out
auto-trust-anchor-file: /var/unbound/root.key
from /var/unbound/unbound.conf it worked. Below is my configuration in
case it helps anyone.
One issue is that when the system is booting up, things like ntpd and
bsdstats time out. I guess this is because resolving doesn't work until
dnscrypt-proxy has started. When I change the nameserver entry in
/etc/resolv.conf to 8.8.8.8, those processes don't time out.
Thanks,
Joseph
/etc/rc.conf
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.2 -d -R opennic-ca-ns4"
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
local_unbound_enable="YES"
/var/unbound/unbound.conf
server:
#auto-trust-anchor-file: /var/unbound/root.key
directory: /var/unbound
do-not-query-localhost: no
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
username: unbound
use-syslog: yes
verbosity: 1
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/conf.d/*.conf
/var/unbound/forward.conf
forward-zone:
name: "."
forward-addr: 127.0.0.2 at 53
/etc/resolve.conf
search ftfl.ca
nameserver 127.0.0.1
options edns0
More information about the freebsd-questions
mailing list