# unbound + dhcpcd/openresolv with DNSSEC

## mv

I am trying to run unbound with DNSSEC, but with a fallback to the nameserver obtained by dhcpcd.

At a first glance, openresolv seems to do everything: It can be configured to generate something like  */etc/unbound-resolvconf.conf wrote:*   

> forward-zone:
> 
>         name: "localdomain"
> 
>         forward-addr: 192.168.0.1
> ...

 

which can be .include'd in the unbound configuration. To be honest, I do not completely understand what forward-zones mean and why these two names apply to all my DNS queries (e.g. in firefox), so perhaps this is related to my problem:

I was hoping that this would work out-of-the-box, but unfortunately unbound refuses to resolve anything at all: I get messages like

 *Quote:*   

> info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN

 

which I interpret that DNSSEC does not work with the local (provider's) server on the router - which is not surprising, since this "untrusted" local server is what I want to avoid with unbound and use only as a fallback. When I omit inclusion of the above file in /etc/unbound/unbound.conf, I can resolve names, but have of course not the local fallback.

Can I somehow teach unbound that the "forward zone"s are really only a fallback and do not need to be protected with DNSSEC, preferrably without hacking up the openresolv script which generates /etc/unbound-resolvconf.conf? Perhaps there is also a resolvconf configuration possible which I am not aware of...

----------

## UberLord

 *mv wrote:*   

> I am trying to run unbound with DNSSEC, but with a fallback to the nameserver obtained by dhcpcd.

 

It doesn't quite work like that.

I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled.

My ISP ones are not, so I forward to Googles DNS which is.

Note, I only need to do this on my router - each of my clients will pickup protection from this automatically.

 *Quote:*   

> 
> 
> Can I somehow teach unbound that the "forward zone"s are really only a fallback and do not need to be protected with DNSSEC, preferrably without hacking up the openresolv script which generates /etc/unbound-resolvconf.conf? Perhaps there is also a resolvconf configuration possible which I am not aware of...

 

Not sure this is possible. Try asking ubound upstream, they will know better.

----------

## mv

 *UberLord wrote:*   

> It doesn't quite work like that.
> 
> I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled.

 

Thanks for clarifying. In this case, I do not really understand what is the purpose of the unbound "backend" of openresolv: It seems to me that even if I would give up DNSSEC, using this backend, unbound would just query the server obtained by dhcpcd, i.e. I could as well omit unbound completely and directly query that server - it seems to me that the main purpose of unbound (the recursive resolving, independent of any ISP service) cannot be used in such a setting.

Indeed, this is more a question concerning unbound than concerning openresolv, but perhaps you had some special purpose in mind when writing the backend?

----------

## UberLord

 *mv wrote:*   

>  *UberLord wrote:*   It doesn't quite work like that.
> 
> I think dnssec in unbound is set at the server level, so all upstream nameservers need to be DNSSEC enabled. 
> 
> Thanks for clarifying. In this case, I do not really understand what is the purpose of the unbound "backend" of openresolv
> ...

 

Primary use case - caching DNS.

Secondary use case - splitting DNS requests from VPN assignments.

So for example I can setup a resovlconf entry as VPN - so if it contains search domain(s) then it will forward requests for host within that domain to the listed nameservers only whilst allwoing all other requests to goto other nameservers.

Quite powerful  :Smile: 

Anything else such as DNSSEC is best done at the router level to pass the benefits down to the clients.

----------

