Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
unbound + dhcpcd/openresolv with DNSSEC
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6293

PostPosted: Tue Feb 03, 2015 8:10 am    Post subject: unbound + dhcpcd/openresolv with DNSSEC Reply with quote

I am trying to run unbound with DNSSEC, but with a fallback to the nameserver obtained by dhcpcd.
At a first glance, openresolv seems to do everything: It can be configured to generate something like
/etc/unbound-resolvconf.conf wrote:
forward-zone:
name: "localdomain"
forward-addr: 192.168.0.1

forward-zone:
name: "."
forward-addr: 192.168.0.1

which can be .include'd in the unbound configuration. To be honest, I do not completely understand what forward-zones mean and why these two names apply to all my DNS queries (e.g. in firefox), so perhaps this is related to my problem:

I was hoping that this would work out-of-the-box, but unfortunately unbound refuses to resolve anything at all: I get messages like
Quote:
info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN

which I interpret that DNSSEC does not work with the local (provider's) server on the router - which is not surprising, since this "untrusted" local server is what I want to avoid with unbound and use only as a fallback. When I omit inclusion of the above file in /etc/unbound/unbound.conf, I can resolve names, but have of course not the local fallback.

Can I somehow teach unbound that the "forward zone"s are really only a fallback and do not need to be protected with DNSSEC, preferrably without hacking up the openresolv script which generates /etc/unbound-resolvconf.conf? Perhaps there is also a resolvconf configuration possible which I am not aware of...
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6754
Location: Blighty

PostPosted: Tue Feb 03, 2015 9:10 am    Post subject: Re: unbound + dhcpcd/openresolv with DNSSEC Reply with quote

mv wrote:
I am trying to run unbound with DNSSEC, but with a fallback to the nameserver obtained by dhcpcd.


It doesn't quite work like that.
I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled.
My ISP ones are not, so I forward to Googles DNS which is.
Note, I only need to do this on my router - each of my clients will pickup protection from this automatically.

Quote:

Can I somehow teach unbound that the "forward zone"s are really only a fallback and do not need to be protected with DNSSEC, preferrably without hacking up the openresolv script which generates /etc/unbound-resolvconf.conf? Perhaps there is also a resolvconf configuration possible which I am not aware of...


Not sure this is possible. Try asking ubound upstream, they will know better.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6293

PostPosted: Tue Feb 03, 2015 11:28 am    Post subject: Re: unbound + dhcpcd/openresolv with DNSSEC Reply with quote

UberLord wrote:
It doesn't quite work like that.
I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled.

Thanks for clarifying. In this case, I do not really understand what is the purpose of the unbound "backend" of openresolv: It seems to me that even if I would give up DNSSEC, using this backend, unbound would just query the server obtained by dhcpcd, i.e. I could as well omit unbound completely and directly query that server - it seems to me that the main purpose of unbound (the recursive resolving, independent of any ISP service) cannot be used in such a setting.
Indeed, this is more a question concerning unbound than concerning openresolv, but perhaps you had some special purpose in mind when writing the backend?
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6754
Location: Blighty

PostPosted: Thu Feb 05, 2015 1:31 pm    Post subject: Re: unbound + dhcpcd/openresolv with DNSSEC Reply with quote

mv wrote:
UberLord wrote:
It doesn't quite work like that.
I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled.

Thanks for clarifying. In this case, I do not really understand what is the purpose of the unbound "backend" of openresolv

...

Indeed, this is more a question concerning unbound than concerning openresolv, but perhaps you had some special purpose in mind when writing the backend?


Primary use case - caching DNS.
Secondary use case - splitting DNS requests from VPN assignments.

So for example I can setup a resovlconf entry as VPN - so if it contains search domain(s) then it will forward requests for host within that domain to the listed nameservers only whilst allwoing all other requests to goto other nameservers.
Quite powerful :)

Anything else such as DNSSEC is best done at the router level to pass the benefits down to the clients.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum