Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

DNSCrypt & Unbound in Debian

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
d3viant
Posts: 24
Joined: 2017-05-17 23:36

DNSCrypt & Unbound in Debian

#1 Post by d3viant »

Anyone get this set up working (together)?

Getting DNSCrypt going was quite painless.
Unbound is another story..

Code: Select all

May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
May 30 20:28:17 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:0] info: validation failure <www.startpage.com. A IN>: key for validation . is marked as invalid because of a previous validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
127.0.2.1 is DNSCrypt's proxy.
I think I've missed a step..
signature missing from 127.0.2.1 for trust anchor . while building chain of trust
I'm not sure how to get DNSCrypt to issue a signature.?


var/lib/unbound/root.key

Code: Select all

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1496193557 ;;Tue May 30 20:19:17 2017
;;last_success: 1496193006 ;;Tue May 30 20:10:06 2017
;;next_probe_time: 1496232315 ;;Wed May 31 07:05:15 2017
;;query_failed: 23
;;query_interval: 43200
;;retry_time: 8640
.       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk$
/etc/unbound/unbound.conf.d/dnscrypt.conf:

Code: Select all

server:
    # Remove localhost from the donotquery list
    do-not-query-localhost: no

forward-zone:
    name: "."
    forward-addr: 127.0.2.1@53
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

Code: Select all

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/resolv.conf

Code: Select all

#unbound
nameserver 127.0.0.1
#when unbound acts up, i comment it & re-enable dnscrypt:
#127.0.2.1
Top
Post Reply

Return to “Beginners Questions”