OpenBSD Journal

DNSSEC enabled in default unbound(8) configuration

Contributed by rueda on from the +dnssec-take-two dept.

DNSSEC validation has been enabled in the default unbound.conf(5) in -current. The relevant commits were from Job Snijders (job@)

CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2019/11/07 05:49:45

Modified files:
	etc            : unbound.conf 

Log message:
Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

and from Stuart Henderson (sthen@)

CVSROOT:	/cvs
Module name:	src
Changes by:	sthen@cvs.openbsd.org	2019/11/07 08:46:37

Modified files:
	etc            : unbound.conf 

Log message:
Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

This was attempted late last year, but reverted because of difficulties bootstrapping machines with incorrect clocks.

Also relevant are this commit from Theo de Raadt (deraadt@)

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2019/11/06 12:04:12

Modified files:
	etc            : ntpd.conf 

Log message:
Perform contraint validation against 9.9.9.9 and 2620:fe::fe also (which
avoids DNS lookups entirely, but yes this https is correctly validated)
long discussions with otto, florian, and the quad9 crew.

and some of the work by Otto Moerbeek (otto@) upon which we reported earlier.

(Comments are closed)


Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]