Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Nov 2017 16:34:16 -0500
From:      Ernie Luzar <luzar722@gmail.com>
To:        doug@safeport.com
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: local_unbound disable trusted-anchor
Message-ID:  <5A189058.30500@gmail.com>
In-Reply-To: <alpine.BSF.2.20.1711241356340.15572@fledge.watson.org>
References:  <59EF2E9D.2060408@gmail.com> <alpine.BSF.2.20.1711241356340.15572@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
doug wrote:
> On Tue, 24 Oct 2017, Ernie Luzar wrote:
> 
>> How can I stop local_unbound from automatically performing trusted 
>> anchor at local_unbound start?
> 
> Read the thread "Unbound(8) caching resolver no workie on ..." valuable 
> stuff here. Answered why I had to do the following. Comment out
> 
>    auto-trust-anchor-file: /var/unbound/root.key
> 
> in unbound.conf.
> 

Yes I followed that thread when it was current on the questions list.

I took a different path to working around stopping the trust-anchor auto 
fetch at start time.

For security reasons I will not allow any daemon call home for any 
reason. Its just to easy for that secdns fetch to become compromised and 
all of a sudden all unbound users are compromised. They added secdns to 
close some large holes in dns services and ended up adding a far more 
centralized security hole. secdns needs more time to work out the design 
problems to become better secured before I an willing to get in bed with 
it. So I turned off the auto secdns fetch all together and run unbound 
without it just fine.

It came to my attention that the version of unbound used by release 11.1 
local_unbound was 3 versions behind what was provided in the port 
version of unbound. So I pkg installed unbound and then hacked the rc.d 
unbound script commenting out the code that did the actual fetch of the 
trust-anchor file content.

Then I installed the dns2blackhole port and followed the great detailed 
instructions for populating unbound with a file containing known bad 
domain names so unbound will block those dns look ups thus protecting 
the host unbound runs on and all LAN devices hard wired or wifi 
connected behind that host.

dns2blackhole man page has a lot of info on customizing unbound and 
local_unbound, so it's worth it to just install it for its man page.

I also have ntpd launched at boot time and it does complain about being 
unable to resolve it's domain name until unbound completes it's start 
up.  This is a simple timing thing between ntpd and unbound that 
resolves itself and only creates 2 warning messages in the system log 
which I understand and ignore.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A189058.30500>