DNSCrypt & Unbound in Debian

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
d3viant
Posts: 24
Joined: 2017-05-17 23:36

DNSCrypt & Unbound in Debian

#1 Post by d3viant »

Anyone get this set up working (together)?

Getting DNSCrypt going was quite painless.
Unbound is another story..

Code: Select all

May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
May 30 20:28:17 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:0] info: validation failure <www.startpage.com. A IN>: key for validation . is marked as invalid because of a previous validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
127.0.2.1 is DNSCrypt's proxy.
I think I've missed a step..
signature missing from 127.0.2.1 for trust anchor . while building chain of trust
I'm not sure how to get DNSCrypt to issue a signature.?


var/lib/unbound/root.key

Code: Select all

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1496193557 ;;Tue May 30 20:19:17 2017
;;last_success: 1496193006 ;;Tue May 30 20:10:06 2017
;;next_probe_time: 1496232315 ;;Wed May 31 07:05:15 2017
;;query_failed: 23
;;query_interval: 43200
;;retry_time: 8640
.       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk$
/etc/unbound/unbound.conf.d/dnscrypt.conf:

Code: Select all

server:
    # Remove localhost from the donotquery list
    do-not-query-localhost: no

forward-zone:
    name: "."
    forward-addr: 127.0.2.1@53
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

Code: Select all

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/resolv.conf

Code: Select all

#unbound
nameserver 127.0.0.1
#when unbound acts up, i comment it & re-enable dnscrypt:
#127.0.2.1

Post Reply