appendix - Re: [MacPorts] #49264: unbound don't promote DNSSEC under El Capitan

FritzS - gmx fritzs at gmx.net
Sat Oct 31 10:04:46 PDT 2015


Now I updated port and unbound too, but it don’t work
http://dnssectest.sidnlabs.nl/test.php
says
'You are not protected
Permissive mode detected:
Your DNSSEC is configured in "permissive mode" (or you use a combination of validating- and non-validating resolvers) and as such you are not protected.’

/opt/local/etc/unbound/root.key are renewed at each boot.

Must unbound.pid in the same directory as root.key?

What could be wrong?

My current unbound.conf
—————————————————————————
# See unbound.conf(5) man page, version 1.5.6.
server:
	# verbosity 1 is default.
	
	verbosity: 1

	# Set to "" or 0 to disable. Default is disabled - every N seconds.
	# 86400 = one day
	
	statistics-interval: 86400

	# statistics-cumulative: no

	# extended-statistics: no
	
	num-threads: 2
	
	# defined interfaces - fix IP
   # 
   # all interfaces, all IP	
	interface: 0.0.0.0
	interface: ::0

	# port to answer queries from, default 53	
	
	port: 53

	so-rcvbuf: 2m

	so-sndbuf: 2m
	
	msg-cache-size: 4m
	
	msg-cache-slabs: 4
	
	jostle-timeout: 200
	
	rrset-cache-size: 4m
	
	rrset-cache-slabs: 4
	
	cache-min-ttl: 5
	
	cache-max-ttl: 86400

	# infra-host-ttl: 900

	infra-cache-slabs: 4

	# infra-cache-numhosts: 10000
	
	do-ip4: yes
	
	do-ip6: yes
	
	do-udp: yes
	
	do-tcp: yes

	# tcp-upstream: no

	# do-daemonize: yes
	
	access-control: ::1 allow
	access-control: fd00::/8 allow
	access-control: fe80::/10 allow
	access-control: 127.0.0.0/8 allow
   access-control: 10.0.0.0/8 allow
   access-control: 172.16.0.0/12 allow
   access-control: 192.168.0.0/16 allow
   access-control: 169.254.0.0/16 allow
	
	chroot: "/opt/local/etc/unbound"
	
	username: "unbound"
	
	directory: "/opt/local/etc/unbound"
	
	logfile: "/logs/unbound.log"

	use-syslog: no 
	
	log-time-ascii: yes
	
	log-queries: yes

	# pidfile: "/opt/local/var/run/unbound/unbound.pid"

	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
	# root-hints: ""
	
	root-hints: "/named.cache"
	# harden-glue - default is on
	
	harden-glue: yes
	
	# harden-dnssec-stripped - default is on
	
	harden-dnssec-stripped: yes
	
	# prefetch - default no
	
	prefetch: yes

	# auto-trust-anchor-file: "/opt/local/var/run/unbound/root.key“

      # I testet both path below
      # auto-trust-anchor-file: "/opt/local/etc/unbound/root.key"
	auto-trust-anchor-file: "/root.key"
	
	## Can be an absolute path outside of chroot/work dir.
	## pidfile: "/opt/local/var/run/unbound/unbound.pid"	

	# Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
	# dlv-anchor-file: "dlv.isc.org.key"

	# trusted-keys-file: ""
	# /opt/local/var/run/unbound/root.key
	# dont run
	# trusted-keys-file: "/opt/local/var/run/unbound/root.key"
	
	val-clean-additional: yes

	# key-cache-size: 4m

	key-cache-slabs: 4

	#  default is "1Mb". 
—————————————————————————


> Am 29.10.2015 um 22:58 schrieb MacPorts <noreply at macports.org>:
> 
> #49264: unbound don't promote DNSSEC under El Capitan
> -----------------------+----------------------
> Reporter:  fritzs@…  |      Owner:  snc@…
>     Type:  defect    |     Status:  closed
> Priority:  Normal    |  Milestone:
> Component:  ports     |    Version:  2.3.4
> Resolution:  fixed     |   Keywords:  haspatch
>     Port:  unbound   |
> -----------------------+----------------------
> Changes (by snc@…):
> 
> * status:  new => closed
> * resolution:   => fixed
> 
> 
> Comment:
> 
> Updated in r141858.
> 
> -- 
> Ticket URL: <https://trac.macports.org/ticket/49264#comment:27>
> MacPorts <https://www.macports.org/>
> Ports system for OS X



More information about the macports-users mailing list