appendix - Re: [MacPorts] #49264: unbound don't promote DNSSEC under El Capitan
FritzS - gmx
fritzs at gmx.net
Sat Oct 31 10:04:46 PDT 2015
Now I updated port and unbound too, but it don’t work
http://dnssectest.sidnlabs.nl/test.php
says
'You are not protected
Permissive mode detected:
Your DNSSEC is configured in "permissive mode" (or you use a combination of validating- and non-validating resolvers) and as such you are not protected.’
/opt/local/etc/unbound/root.key are renewed at each boot.
Must unbound.pid in the same directory as root.key?
What could be wrong?
My current unbound.conf
—————————————————————————
# See unbound.conf(5) man page, version 1.5.6.
server:
# verbosity 1 is default.
verbosity: 1
# Set to "" or 0 to disable. Default is disabled - every N seconds.
# 86400 = one day
statistics-interval: 86400
# statistics-cumulative: no
# extended-statistics: no
num-threads: 2
# defined interfaces - fix IP
#
# all interfaces, all IP
interface: 0.0.0.0
interface: ::0
# port to answer queries from, default 53
port: 53
so-rcvbuf: 2m
so-sndbuf: 2m
msg-cache-size: 4m
msg-cache-slabs: 4
jostle-timeout: 200
rrset-cache-size: 4m
rrset-cache-slabs: 4
cache-min-ttl: 5
cache-max-ttl: 86400
# infra-host-ttl: 900
infra-cache-slabs: 4
# infra-cache-numhosts: 10000
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# tcp-upstream: no
# do-daemonize: yes
access-control: ::1 allow
access-control: fd00::/8 allow
access-control: fe80::/10 allow
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
access-control: 169.254.0.0/16 allow
chroot: "/opt/local/etc/unbound"
username: "unbound"
directory: "/opt/local/etc/unbound"
logfile: "/logs/unbound.log"
use-syslog: no
log-time-ascii: yes
log-queries: yes
# pidfile: "/opt/local/var/run/unbound/unbound.pid"
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
# root-hints: ""
root-hints: "/named.cache"
# harden-glue - default is on
harden-glue: yes
# harden-dnssec-stripped - default is on
harden-dnssec-stripped: yes
# prefetch - default no
prefetch: yes
# auto-trust-anchor-file: "/opt/local/var/run/unbound/root.key“
# I testet both path below
# auto-trust-anchor-file: "/opt/local/etc/unbound/root.key"
auto-trust-anchor-file: "/root.key"
## Can be an absolute path outside of chroot/work dir.
## pidfile: "/opt/local/var/run/unbound/unbound.pid"
# Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
# dlv-anchor-file: "dlv.isc.org.key"
# trusted-keys-file: ""
# /opt/local/var/run/unbound/root.key
# dont run
# trusted-keys-file: "/opt/local/var/run/unbound/root.key"
val-clean-additional: yes
# key-cache-size: 4m
key-cache-slabs: 4
# default is "1Mb".
—————————————————————————
> Am 29.10.2015 um 22:58 schrieb MacPorts <noreply at macports.org>:
>
> #49264: unbound don't promote DNSSEC under El Capitan
> -----------------------+----------------------
> Reporter: fritzs@… | Owner: snc@…
> Type: defect | Status: closed
> Priority: Normal | Milestone:
> Component: ports | Version: 2.3.4
> Resolution: fixed | Keywords: haspatch
> Port: unbound |
> -----------------------+----------------------
> Changes (by snc@…):
>
> * status: new => closed
> * resolution: => fixed
>
>
> Comment:
>
> Updated in r141858.
>
> --
> Ticket URL: <https://trac.macports.org/ticket/49264#comment:27>
> MacPorts <https://www.macports.org/>
> Ports system for OS X
More information about the macports-users
mailing list