{"id":551,"date":"2014-12-15T21:13:25","date_gmt":"2014-12-15T20:13:25","guid":{"rendered":"http:\/\/www.hauweele.net\/~gawen\/blog\/?p=551"},"modified":"2014-12-16T12:16:11","modified_gmt":"2014-12-16T11:16:11","slug":"isp-y-u-no-dnssec","status":"publish","type":"post","link":"https:\/\/hauweele.net\/~gawen\/blog\/?p=551","title":{"rendered":"ISP y u no DNSSEC?"},"content":{"rendered":"<p><a title=\"Unbound\" href=\"http:\/\/unbound.net\" target=\"_blank\">Unbound<\/a> is a secure, lightweight and high performance\u00a0validating, recursive, and caching DNS resolver. It\u00a0performs DNSSEC validation and it is also really easy to configure. Although it cannot act as a full fledged authoritative server, you may\u00a0take a look at\u00a0<a title=\"NSD\" href=\"http:\/\/www.nlnetlabs.nl\/projects\/nsd\" target=\"_blank\">NSD<\/a>, which is, on the contrary, authoritative only. For a nice tutorial about unbound configuration, see <a title=\"this post\" href=\"http:\/\/calomel.org\/unbound_dns.html\" target=\"_blank\">this post<\/a>.<\/p>\n<p>Today I discovered local_unbound on FreeBSD. This\u00a0script generates a configuration suitable for running unbound as a forwarding resolver. It also uses resolveconf to update the list of forwarders. This means that it is automatically configured with the name servers\u00a0provided by\u00a0the\u00a0DHCP offer.<\/p>\n<p>By default, unbound is configured to withheld the reply from the client when the validation fails. Unfortunately most of the name servers provided by home routers and ISPs do not support DNSSEC. Even worse, some ISPs redirect all queries to their own name servers which of course do not support DNSSEC either. You can check if it is the case with this command:<\/p>\n<p><code>dig @8.8.8.8 +short test.dnssec-or-not.net TXT<\/code><\/p>\n<p>As Google public DNS support DNSSEC. If it does not show you anything, it is OK. If instead it says something like:\u00a0<em>&#8220;Nope! \u00a0DO bit not set in your query&#8221;\u00a0<\/em>then your query has been\u00a0forwarded to a server which is not DNSSEC capable.<\/p>\n<p>Because of this,\u00a0you often end up with a nice caching forwarding resolver which does not seem to resolve anything (at least on the client side) because of bogus validations.<\/p>\n<p>You have two solutions to overcome this. First you can force your forwarders to DNSSEC capable servers such as Google public DNS (8.8.8.8 \/ 8.8.4.4). However, as mentioned above this does not work when your ISP redirect all queries to its own server. The second solution is to configure unbound into permissive mode (<em>\/etc\/unbound\/unbound.conf<\/em>):<\/p>\n<pre>server:\r\n    (...)\r\n    val-permissive-mode: yes\r\n<\/pre>\n<p>In that case, replies to queries that did not pass\u00a0validation are not longer withheld from the client but the Authenticated Data bit is not set in the reply.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unbound is a secure, lightweight and high performance\u00a0validating, recursive, and caching DNS resolver. It\u00a0performs DNSSEC validation and it is also really easy to configure. Although it cannot act as a full fledged authoritative server, you may\u00a0take a look at\u00a0NSD, which &hellip; <a href=\"https:\/\/hauweele.net\/~gawen\/blog\/?p=551\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[525,524,521,156,518,522,520,389,526,523,527,519,517],"class_list":["post-551","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ad","tag-authenticated-data","tag-caching","tag-dhcp","tag-dns","tag-dnssec","tag-forwarding","tag-freebsd","tag-local_unbound","tag-permissive","tag-resolveconf","tag-resolver","tag-unbound"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=551"}],"version-history":[{"count":0,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/551\/revisions"}],"wp:attachment":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}