From owner-freebsd-questions@freebsd.org  Mon Oct  9 07:28:47 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF055E27F72
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon,  9 Oct 2017 07:28:47 +0000 (UTC)
 (envelope-from igorr@pochta-mx.canmos.ru)
Received: from pochta-mx.canmos.ru (pochta-mx.canmos.ru [89.107.127.240])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C87906F7C7
 for <freebsd-questions@freebsd.org>; Mon,  9 Oct 2017 07:28:46 +0000 (UTC)
 (envelope-from igorr@pochta-mx.canmos.ru)
Received: from pochta-mx.canmos.ru (pochta-mx.canmos.ru [89.107.127.240])
 by pochta-mx.canmos.ru (Postfix) with ESMTP id 9FA2C2DBBC22;
 Mon,  9 Oct 2017 10:28:31 +0300 (MSK)
X-Spam-Checker-Version: SpamAssassin 3.3.2-pochta_20120910 (2011-06-06) on
 pochta.canmos.ru
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
 version=3.3.2-pochta_20120910
Received: from pochta-mx.canmos.ru (pochta-mx.canmos.ru [89.107.127.240])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by pochta-mx.canmos.ru (Postfix) with ESMTPS;
 Mon,  9 Oct 2017 10:28:31 +0300 (MSK)
Date: Mon, 9 Oct 2017 10:28:31 +0300 (MSK)
From: "Igor V. Ruzanov" <igorr@pochta-mx.canmos.ru>
X-X-Sender: igorr@pochta.canmos.ru
To: Chris Gordon <freebsd@theory14.net>
cc: Ernie Luzar <luzar722@gmail.com>, 
 "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: unbound trust-anchor
In-Reply-To: <7E539C26-2B8C-4647-9A70-EE2D330EB7D7@theory14.net>
Message-ID: <alpine.BSF.2.00.1710091017540.59850@pochta.canmos.ru>
References: <59DABE19.2070704@gmail.com>
 <7E539C26-2B8C-4647-9A70-EE2D330EB7D7@theory14.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-GPG-PUBLIC-KEY: 1024D/F433BDD5 2009-06-17 Igor V. Ruzanov
 <igorr@hosting.canmos.ru>
X-GPG-FINGERPRINT: 5030 C793 4238 FAFF 827F  0E99 FDCE 63DD F433 BDD5
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=utf-8
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 07:28:47 -0000

On Sun, 8 Oct 2017, Chris Gordon wrote:

|
|> On Oct 8, 2017, at 8:08 PM, Ernie Luzar <luzar722@gmail.com> wrote:
|> 
|> If I comprehend the unbound-anchor man page correctly, at unbound start time a trust-anchor is fetched from a unbound website. This is required for dnssec. Is this really necessary. I do not like any software application to be dialing home. Way to easy for that website to become compromised and bad things happen to my host.
|
|This function is to get the trust anchors for DNSsec validation.  If you don’t want to use DNSsec, then you don’t need them.  If you’re going to disable this then be sure you do NOT have DNSsec validation enabled in your configuration.
|
|For those that want to do DNSsec validation, this automatic anchor retrieval is very nice.  In fact ICANN just announced delaying rolling over the root zone KSKs since there were too many resolvers that had not updated their trust anchors and they didn’t want all of those DNS resolvers to suddenly stop working.

Totally agree with Chris. This is hot example of the resolver that "don’t 
want to use DNSsec" for some non-objective reasons ;) In general 
DNSSEC introduction is very similar to "slow start" of ISDN technology 
meny years ago: "It Still Does Nothing"

|
|The default site where the file is pulled is data.inana.org.  This is not a site associated with unbound but with IANA.  I understand and agree with your desire to minimize where your machine(s) pull data, but for me having working DNSsec validation out weights the risks of getting a “compromised” trust anchor.  Note that if you have a compromised/corrupt trust anchor, DNSsec validation will fail and DNS wouldn’t work for you.  Though DNS not working would be a very “bad” thing, it would be quick to diagnose and fix.
|
|> Can unbound function without this dial home feature?
|> How would I go about disabling it.
|
|Take a look at /usr/local/etc/rc.d/unbound.  You could just modify this and then make sure you don’t have validation enabled in unbound.conf.
|
|Chris
|_______________________________________________
|freebsd-questions@freebsd.org mailing list
|https://lists.freebsd.org/mailman/listinfo/freebsd-questions
|To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"