Latest update of dnscrypt-proxy broke DNSSEC chain

Sun Jun 22 19:48:19 UTC 2014

I have {unbound + dnscrypt-proxy} running in a jail. /etc/passwd in jail has
below and appears started in sockstat, but provides no log records. My setup
was working before I did "pkg upgrade" in the jail.
_dnscrypt-proxy:*:978:65534::0:0:dnscrypt-proxy
user:/var/empty:/usr/sbin/nologin

# dnscrypt-proxy -t 1 -R dnscrypt.eu-nl
[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2013-12-27] to
[2014-12-27]
[INFO] Server key fingerprint is 
SOME:GEN:KEY:XX:YY:ETC

 <jail>/etc/rc.conf:
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-d -a 192.168.2.xx:9040 -R dnscrypt.eu-nl
--logfile=/var/log/dnscrypt-proxy.log -m 2"
#_unused_dnscrypt_proxy_flags
# -L /var/unbound/dnscrypt-resolvers.csv
# --provider-key= <above fingerprint>

>From host or inside the jail, "# drill -TD -k /var/unbound/root.key"
<domain> ->
; E;; Error verifying denial of existence for name com.NS: No DNSSEC
signature(s)

Jail's var/log/debug.log shows:
unbound: [4180:0] debug: validator[module 0] operate:
extstate:module_state_initial event:module_event_new
unbound: [4180:0] debug: iterator[module 1] operate:
extstate:module_state_initial event:module_event_pass
unbound: [4180:0] debug: sending to target: <.> 192.168.2.xx#9040
unbound: [4180:0] debug: cache memory msg=71924 rrset=70715 infra=2849
val=66401

My var/unbound/unbound.conf:
server:
  verbosity: 3
    chroot: ""
    port: 53	  # port to answer queries from
    do-ip4: yes	  # Enable IPv4, "yes" or "no".
    do-ip6: no	  # Enable IPv6, "yes" or "no".
    do-udp: yes	  # Enable UDP, "yes" or "no".
    do-tcp: yes

    auto-trust-anchor-file: "/var/unbound/root.key"
    val-clean-additional: yes
    root-hints: "/var/unbound/root.hints"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    use-caps-for-id: yes
    prefetch: yes
    prefetch-key: yes
    num-threads: 1

#    private-address: 127.0.1.0/28  - breaks things
     private-address: 192.168.1.0/24
     private-address: 192.168.2.0/26

    do-not-query-localhost: no

    forward-zone:
    name: "."
    forward-addr: 192.168.2.xx at 9040    # does not work: 127.0.0.1 at 9040

-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/Latest-update-of-dnscrypt-proxy-broke-DNSSEC-chain-tp5922962.html
Sent from the freebsd-net mailing list archive at Nabble.com.