Getting DNSCrypt going was quite painless.
Unbound is another story..
Code: Select all
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:16 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:1] info: validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
May 30 20:28:17 debian unbound[3994]: [3994:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 30 20:28:17 debian unbound[3994]: [3994:0] info: validation failure <www.startpage.com. A IN>: key for validation . is marked as invalid because of a previous validation failure <www.startpage.com. AAAA IN>: signature missing from 127.0.2.1 for trust anchor . while building chain of trust
I think I've missed a step..
I'm not sure how to get DNSCrypt to issue a signature.?signature missing from 127.0.2.1 for trust anchor . while building chain of trust
var/lib/unbound/root.key
Code: Select all
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1496193557 ;;Tue May 30 20:19:17 2017
;;last_success: 1496193006 ;;Tue May 30 20:10:06 2017
;;next_probe_time: 1496232315 ;;Wed May 31 07:05:15 2017
;;query_failed: 23
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk$
Code: Select all
server:
# Remove localhost from the donotquery list
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.2.1@53
Code: Select all
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Code: Select all
#unbound
nameserver 127.0.0.1
#when unbound acts up, i comment it & re-enable dnscrypt:
#127.0.2.1