local_unbound disable trusted-anchor
DTD
doug at safeport.com
Fri Nov 24 21:46:08 UTC 2017
On Fri, 24 Nov 2017, Ernie Luzar wrote:
> doug wrote:
>> On Tue, 24 Oct 2017, Ernie Luzar wrote:
>>
>>> How can I stop local_unbound from automatically performing trusted anchor
>>> at local_unbound start?
>>
>> Read the thread "Unbound(8) caching resolver no workie on ..." valuable
>> stuff here. Answered why I had to do the following. Comment out
>>
>> auto-trust-anchor-file: /var/unbound/root.key
>>
>> in unbound.conf.
>>
>
> Yes I followed that thread when it was current on the questions list.
>
> I took a different path to working around stopping the trust-anchor auto
> fetch at start time.
>
> For security reasons I will not allow any daemon call home for any reason.
> Its just to easy for that secdns fetch to become compromised and all of a
> sudden all unbound users are compromised. They added secdns to close some
> large holes in dns services and ended up adding a far more centralized
> security hole. secdns needs more time to work out the design problems to
> become better secured before I an willing to get in bed with it. So I turned
> off the auto secdns fetch all together and run unbound without it just fine.
>
> It came to my attention that the version of unbound used by release 11.1
> local_unbound was 3 versions behind what was provided in the port version of
> unbound. So I pkg installed unbound and then hacked the rc.d unbound script
> commenting out the code that did the actual fetch of the trust-anchor file
> content.
>
> Then I installed the dns2blackhole port and followed the great detailed
> instructions for populating unbound with a file containing known bad domain
> names so unbound will block those dns look ups thus protecting the host
> unbound runs on and all LAN devices hard wired or wifi connected behind that
> host.
>
> dns2blackhole man page has a lot of info on customizing unbound and
> local_unbound, so it's worth it to just install it for its man page.
>
> I also have ntpd launched at boot time and it does complain about being
> unable to resolve it's domain name until unbound completes it's start up.
> This is a simple timing thing between ntpd and unbound that resolves itself
> and only creates 2 warning messages in the system log which I understand and
> ignore.
Thanks for the reply and thoughts. I am trying to work through the security
issues raised in the thread and your reply.
_____
Douglas Denault
http://www.safeport.com
doug at safeport.com
Voice: 301-217-9220
Fax: 301-217-9277
More information about the freebsd-questions
mailing list