Date: Fri, 24 Nov 2017 16:34:16 -0500 From: Ernie Luzar <luzar722@gmail.com> To: doug@safeport.com Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: local_unbound disable trusted-anchor Message-ID: <5A189058.30500@gmail.com> In-Reply-To: <alpine.BSF.2.20.1711241356340.15572@fledge.watson.org> References: <59EF2E9D.2060408@gmail.com> <alpine.BSF.2.20.1711241356340.15572@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
doug wrote: > On Tue, 24 Oct 2017, Ernie Luzar wrote: > >> How can I stop local_unbound from automatically performing trusted >> anchor at local_unbound start? > > Read the thread "Unbound(8) caching resolver no workie on ..." valuable > stuff here. Answered why I had to do the following. Comment out > > auto-trust-anchor-file: /var/unbound/root.key > > in unbound.conf. > Yes I followed that thread when it was current on the questions list. I took a different path to working around stopping the trust-anchor auto fetch at start time. For security reasons I will not allow any daemon call home for any reason. Its just to easy for that secdns fetch to become compromised and all of a sudden all unbound users are compromised. They added secdns to close some large holes in dns services and ended up adding a far more centralized security hole. secdns needs more time to work out the design problems to become better secured before I an willing to get in bed with it. So I turned off the auto secdns fetch all together and run unbound without it just fine. It came to my attention that the version of unbound used by release 11.1 local_unbound was 3 versions behind what was provided in the port version of unbound. So I pkg installed unbound and then hacked the rc.d unbound script commenting out the code that did the actual fetch of the trust-anchor file content. Then I installed the dns2blackhole port and followed the great detailed instructions for populating unbound with a file containing known bad domain names so unbound will block those dns look ups thus protecting the host unbound runs on and all LAN devices hard wired or wifi connected behind that host. dns2blackhole man page has a lot of info on customizing unbound and local_unbound, so it's worth it to just install it for its man page. I also have ntpd launched at boot time and it does complain about being unable to resolve it's domain name until unbound completes it's start up. This is a simple timing thing between ntpd and unbound that resolves itself and only creates 2 warning messages in the system log which I understand and ignore.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A189058.30500>