Date: Sun, 22 Jun 2014 12:48:12 -0700 (PDT) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-net@freebsd.org Subject: Latest update of dnscrypt-proxy broke DNSSEC chain Message-ID: <1403466492547-5922962.post@n5.nabble.com>
next in thread | raw e-mail | index | archive | help
I have {unbound + dnscrypt-proxy} running in a jail. /etc/passwd in jail has
below and appears started in sockstat, but provides no log records. My setup
was working before I did "pkg upgrade" in the jail.
_dnscrypt-proxy:*:978:65534::0:0:dnscrypt-proxy
user:/var/empty:/usr/sbin/nologin
# dnscrypt-proxy -t 1 -R dnscrypt.eu-nl
[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2013-12-27] to
[2014-12-27]
[INFO] Server key fingerprint is
SOME:GEN:KEY:XX:YY:ETC
<jail>/etc/rc.conf:
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-d -a 192.168.2.xx:9040 -R dnscrypt.eu-nl
--logfile=/var/log/dnscrypt-proxy.log -m 2"
#_unused_dnscrypt_proxy_flags
# -L /var/unbound/dnscrypt-resolvers.csv
# --provider-key= <above fingerprint>
>From host or inside the jail, "# drill -TD -k /var/unbound/root.key"
<domain> ->
; E;; Error verifying denial of existence for name com.NS: No DNSSEC
signature(s)
Jail's var/log/debug.log shows:
unbound: [4180:0] debug: validator[module 0] operate:
extstate:module_state_initial event:module_event_new
unbound: [4180:0] debug: iterator[module 1] operate:
extstate:module_state_initial event:module_event_pass
unbound: [4180:0] debug: sending to target: <.> 192.168.2.xx#9040
unbound: [4180:0] debug: cache memory msg=71924 rrset=70715 infra=2849
val=66401
My var/unbound/unbound.conf:
server:
verbosity: 3
chroot: ""
port: 53 # port to answer queries from
do-ip4: yes # Enable IPv4, "yes" or "no".
do-ip6: no # Enable IPv6, "yes" or "no".
do-udp: yes # Enable UDP, "yes" or "no".
do-tcp: yes
auto-trust-anchor-file: "/var/unbound/root.key"
val-clean-additional: yes
root-hints: "/var/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-short-bufsize: yes
harden-large-queries: yes
use-caps-for-id: yes
prefetch: yes
prefetch-key: yes
num-threads: 1
# private-address: 127.0.1.0/28 - breaks things
private-address: 192.168.1.0/24
private-address: 192.168.2.0/26
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 192.168.2.xx@9040 # does not work: 127.0.0.1@9040
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/Latest-update-of-dnscrypt-proxy-broke-DNSSEC-chain-tp5922962.html
Sent from the freebsd-net mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1403466492547-5922962.post>