local_unbound disable trusted-anchor

DTD doug at safeport.com
Fri Nov 24 21:46:08 UTC 2017

On Fri, 24 Nov 2017, Ernie Luzar wrote:

> doug wrote:
>> On Tue, 24 Oct 2017, Ernie Luzar wrote:
>>> How can I stop local_unbound from automatically performing trusted anchor 
>>> at local_unbound start?
>> Read the thread "Unbound(8) caching resolver no workie on ..." valuable 
>> stuff here. Answered why I had to do the following. Comment out
>>    auto-trust-anchor-file: /var/unbound/root.key
>> in unbound.conf.
> Yes I followed that thread when it was current on the questions list.
> I took a different path to working around stopping the trust-anchor auto 
> fetch at start time.
> For security reasons I will not allow any daemon call home for any reason. 
> Its just to easy for that secdns fetch to become compromised and all of a 
> sudden all unbound users are compromised. They added secdns to close some 
> large holes in dns services and ended up adding a far more centralized 
> security hole. secdns needs more time to work out the design problems to 
> become better secured before I an willing to get in bed with it. So I turned 
> off the auto secdns fetch all together and run unbound without it just fine.
> It came to my attention that the version of unbound used by release 11.1 
> local_unbound was 3 versions behind what was provided in the port version of 
> unbound. So I pkg installed unbound and then hacked the rc.d unbound script 
> commenting out the code that did the actual fetch of the trust-anchor file 
> content.
> Then I installed the dns2blackhole port and followed the great detailed 
> instructions for populating unbound with a file containing known bad domain 
> names so unbound will block those dns look ups thus protecting the host 
> unbound runs on and all LAN devices hard wired or wifi connected behind that 
> host.
> dns2blackhole man page has a lot of info on customizing unbound and 
> local_unbound, so it's worth it to just install it for its man page.
> I also have ntpd launched at boot time and it does complain about being 
> unable to resolve it's domain name until unbound completes it's start up. 
> This is a simple timing thing between ntpd and unbound that resolves itself 
> and only creates 2 warning messages in the system log which I understand and 
> ignore.

Thanks for the reply and thoughts. I am trying to work through the security 
issues raised in the thread and your reply.

Douglas Denault
doug at safeport.com
Voice: 301-217-9220
   Fax: 301-217-9277

More information about the freebsd-questions mailing list