Date: Sun, 8 Oct 2017 20:44:48 -0400 From: Chris Gordon <freebsd@theory14.net> To: Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: unbound trust-anchor Message-ID: <7E539C26-2B8C-4647-9A70-EE2D330EB7D7@theory14.net> In-Reply-To: <59DABE19.2070704@gmail.com> References: <59DABE19.2070704@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Oct 8, 2017, at 8:08 PM, Ernie Luzar <luzar722@gmail.com> wrote: >=20 > If I comprehend the unbound-anchor man page correctly, at unbound = start time a trust-anchor is fetched from a unbound website. This is = required for dnssec. Is this really necessary. I do not like any = software application to be dialing home. Way to easy for that website to = become compromised and bad things happen to my host. This function is to get the trust anchors for DNSsec validation. If you = don=E2=80=99t want to use DNSsec, then you don=E2=80=99t need them. If = you=E2=80=99re going to disable this then be sure you do NOT have DNSsec = validation enabled in your configuration. For those that want to do DNSsec validation, this automatic anchor = retrieval is very nice. In fact ICANN just announced delaying rolling = over the root zone KSKs since there were too many resolvers that had not = updated their trust anchors and they didn=E2=80=99t want all of those = DNS resolvers to suddenly stop working. The default site where the file is pulled is data.inana.org. This is = not a site associated with unbound but with IANA. I understand and = agree with your desire to minimize where your machine(s) pull data, but = for me having working DNSsec validation out weights the risks of getting = a =E2=80=9Ccompromised=E2=80=9D trust anchor. Note that if you have a = compromised/corrupt trust anchor, DNSsec validation will fail and DNS = wouldn=E2=80=99t work for you. Though DNS not working would be a very = =E2=80=9Cbad=E2=80=9D thing, it would be quick to diagnose and fix. > Can unbound function without this dial home feature? > How would I go about disabling it. Take a look at /usr/local/etc/rc.d/unbound. You could just modify this = and then make sure you don=E2=80=99t have validation enabled in = unbound.conf. Chris=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7E539C26-2B8C-4647-9A70-EE2D330EB7D7>