From owner-freebsd-questions@freebsd.org Fri Nov 24 21:34:17 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EDAFDF20E8 for ; Fri, 24 Nov 2017 21:34:17 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E79106573E for ; Fri, 24 Nov 2017 21:34:16 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x22e.google.com with SMTP id x63so30661166ioe.6 for ; Fri, 24 Nov 2017 13:34:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=0cNd3Ct/5WsXDFHFFhatNiO2794otbZMRPdgtAGtMa4=; b=GmA/PRnN18U9cJor0+U35ShJqTkO8VbrBwIwtONQ5JBOC1JP07LLW61umSrxLJal1Y FlUS7qIaofI6PstV2rilowoS368iMBqNLvsZY4+X7yE6XkTS9Mx2qTXYs2UOrKpayDQ3 fkSO2pXTeYRd7mRSa3DpsRDFnqGgzcJBHQSrSknmYqA+2Y+QN3uzdTQV/cXLaf8WEOh2 l5diGwVVk1gBus2v+MQaK+4p/JYZ08eniELJaDb9MQDlqRMlxOq0AzqTLA/J1/z0zlrZ mSuhSSRJR21paR+krBnMxjrfTJJJXhSlV4rgCBy/r5AbODTguYd6zRO9gHXnRz5WX9J/ oUjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=0cNd3Ct/5WsXDFHFFhatNiO2794otbZMRPdgtAGtMa4=; b=I/BTNnBcQCnMnq3bBCFQbOJZODTuDTD27Y2Z2qg6ksbidIICy1tIHAibvbzE+ukIDs oPWKDXe9ntxsZF7Inuszfdd1LnGE1Fnr6BjNl4VXytD6BwFQde/9Loi1UruLWW8N1otf NoN6WYSYjl74znyjDo/tms8E4xcJYL8IWlwk/fh9hA5fAL0ax+yPj78QOab0lvJ+No7E vddp/+nVT2izAA3nH8jzsIBruBFMBdBd4IApva777+/O0rJ4x4Xp6D6GCRB8dfOerSmG GthB1vdA9S/+iCbTOr9FUEMXVD4CwDjKlCl7NEBeAEtMZvZ/91U0l9uyYO3IxsbzEAkG sNYQ== X-Gm-Message-State: AJaThX6h9Z1hBi8NkAqHkya0E+jnQb0HZy89R1Go6RfVjZaC+7IY792y fxO2N4YlKjUBETqx/bZ5H/Q= X-Google-Smtp-Source: AGs4zMZcmeZEQPMCPkMZYyC7dzZJIq+5srPSSuunDlzCVn2uJX70S2IMUS3fr7sCFGvS8SFnDqqxVA== X-Received: by 10.107.35.4 with SMTP id j4mr33109753ioj.145.1511559256180; Fri, 24 Nov 2017 13:34:16 -0800 (PST) Received: from [10.0.10.7] (cpe-65-25-48-36.neo.res.rr.com. [65.25.48.36]) by smtp.googlemail.com with ESMTPSA id i133sm7480528itf.1.2017.11.24.13.34.15 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 24 Nov 2017 13:34:15 -0800 (PST) Message-ID: <5A189058.30500@gmail.com> Date: Fri, 24 Nov 2017 16:34:16 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: doug@safeport.com CC: "freebsd-questions@freebsd.org" Subject: Re: local_unbound disable trusted-anchor References: <59EF2E9D.2060408@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2017 21:34:17 -0000 doug wrote: > On Tue, 24 Oct 2017, Ernie Luzar wrote: > >> How can I stop local_unbound from automatically performing trusted >> anchor at local_unbound start? > > Read the thread "Unbound(8) caching resolver no workie on ..." valuable > stuff here. Answered why I had to do the following. Comment out > > auto-trust-anchor-file: /var/unbound/root.key > > in unbound.conf. > Yes I followed that thread when it was current on the questions list. I took a different path to working around stopping the trust-anchor auto fetch at start time. For security reasons I will not allow any daemon call home for any reason. Its just to easy for that secdns fetch to become compromised and all of a sudden all unbound users are compromised. They added secdns to close some large holes in dns services and ended up adding a far more centralized security hole. secdns needs more time to work out the design problems to become better secured before I an willing to get in bed with it. So I turned off the auto secdns fetch all together and run unbound without it just fine. It came to my attention that the version of unbound used by release 11.1 local_unbound was 3 versions behind what was provided in the port version of unbound. So I pkg installed unbound and then hacked the rc.d unbound script commenting out the code that did the actual fetch of the trust-anchor file content. Then I installed the dns2blackhole port and followed the great detailed instructions for populating unbound with a file containing known bad domain names so unbound will block those dns look ups thus protecting the host unbound runs on and all LAN devices hard wired or wifi connected behind that host. dns2blackhole man page has a lot of info on customizing unbound and local_unbound, so it's worth it to just install it for its man page. I also have ntpd launched at boot time and it does complain about being unable to resolve it's domain name until unbound completes it's start up. This is a simple timing thing between ntpd and unbound that resolves itself and only creates 2 warning messages in the system log which I understand and ignore.