From owner-freebsd-questions@FreeBSD.ORG Sun Nov 9 08:10:58 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 397428F4 for ; Sun, 9 Nov 2014 08:10:58 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E9781BC7 for ; Sun, 9 Nov 2014 08:10:56 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XnNaA-0001mn-Op for freebsd-questions@freebsd.org; Sun, 09 Nov 2014 09:10:46 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Nov 2014 09:10:46 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Nov 2014 09:10:46 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Joseph Mingrone Subject: Re: local_unbound and dnscrypt-proxy Date: Sun, 09 Nov 2014 04:10:34 -0400 Lines: 62 Message-ID: <86tx28ssjp.fsf@gly.ftfl.ca> References: <86lhnup5l3.fsf@gly.ftfl.ca> <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com> <1415379352984-5963426.post@n5.nabble.com> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:3DgBB+cxEDimG69OmSJwLnviRAw= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Nov 2014 08:10:58 -0000 Beeblebrox writes: Hello Beeblebrox, > There are several issues here: > > 1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't > know why, but both port maintainer and software developer seem to not have > taken the issue seriously. For now, disable in unbound.conf: > # auto-trust-anchor-file: "/var/unbound/root.key" > I'm going to re-open the issue I had filed about this on github. That was it. When I commented out auto-trust-anchor-file: /var/unbound/root.key from /var/unbound/unbound.conf it worked. Below is my configuration in case it helps anyone. One issue is that when the system is booting up, things like ntpd and bsdstats time out. I guess this is because resolving doesn't work until dnscrypt-proxy has started. When I change the nameserver entry in /etc/resolv.conf to 8.8.8.8, those processes don't time out. Thanks, Joseph /etc/rc.conf dnscrypt_proxy_enable="YES" dnscrypt_proxy_flags="-a 127.0.0.2 -d -R opennic-ca-ns4" ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" local_unbound_enable="YES" /var/unbound/unbound.conf server: #auto-trust-anchor-file: /var/unbound/root.key directory: /var/unbound do-not-query-localhost: no chroot: /var/unbound pidfile: /var/run/local_unbound.pid username: unbound use-syslog: yes verbosity: 1 include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/conf.d/*.conf /var/unbound/forward.conf forward-zone: name: "." forward-addr: 127.0.0.2@53 /etc/resolve.conf search ftfl.ca nameserver 127.0.0.1 options edns0