From owner-freebsd-questions@freebsd.org Mon Oct 9 00:54:23 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57C9BE4452F for ; Mon, 9 Oct 2017 00:54:23 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id 05525801EC for ; Mon, 9 Oct 2017 00:54:22 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [173.79.116.36]) by bacon.theory14.net (Postfix) with ESMTPSA id 01C2C1260DC; Sun, 8 Oct 2017 20:44:49 -0400 (EDT) Received: from anubis.int.theory14.net (anubis.int.theory14.net [192.168.10.50]) by remote.theory14.net (Postfix) with ESMTPS id B43B6949B; Sun, 8 Oct 2017 20:44:48 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: unbound trust-anchor From: Chris Gordon In-Reply-To: <59DABE19.2070704@gmail.com> Date: Sun, 8 Oct 2017 20:44:48 -0400 Cc: "freebsd-questions@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <7E539C26-2B8C-4647-9A70-EE2D330EB7D7@theory14.net> References: <59DABE19.2070704@gmail.com> To: Ernie Luzar X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 00:54:23 -0000 > On Oct 8, 2017, at 8:08 PM, Ernie Luzar wrote: >=20 > If I comprehend the unbound-anchor man page correctly, at unbound = start time a trust-anchor is fetched from a unbound website. This is = required for dnssec. Is this really necessary. I do not like any = software application to be dialing home. Way to easy for that website to = become compromised and bad things happen to my host. This function is to get the trust anchors for DNSsec validation. If you = don=E2=80=99t want to use DNSsec, then you don=E2=80=99t need them. If = you=E2=80=99re going to disable this then be sure you do NOT have DNSsec = validation enabled in your configuration. For those that want to do DNSsec validation, this automatic anchor = retrieval is very nice. In fact ICANN just announced delaying rolling = over the root zone KSKs since there were too many resolvers that had not = updated their trust anchors and they didn=E2=80=99t want all of those = DNS resolvers to suddenly stop working. The default site where the file is pulled is data.inana.org. This is = not a site associated with unbound but with IANA. I understand and = agree with your desire to minimize where your machine(s) pull data, but = for me having working DNSsec validation out weights the risks of getting = a =E2=80=9Ccompromised=E2=80=9D trust anchor. Note that if you have a = compromised/corrupt trust anchor, DNSsec validation will fail and DNS = wouldn=E2=80=99t work for you. Though DNS not working would be a very = =E2=80=9Cbad=E2=80=9D thing, it would be quick to diagnose and fix. > Can unbound function without this dial home feature? > How would I go about disabling it. Take a look at /usr/local/etc/rc.d/unbound. You could just modify this = and then make sure you don=E2=80=99t have validation enabled in = unbound.conf. Chris=