Turning off DNSSEC in my Unbound instances

August 9, 2019

I tweeted:

It has been '0' days since DNSSEC caused DNS resolution for perfectly good DNS names to fail on my machine. Time to turn DNSSEC validation off, which I should have done long ago.

I use Unbound on my machines, from the Fedora package, so this is not some questionable local resolver implementation getting things wrong; this is a genuine DNSSEC issue. In my case, it was for www.linuxjournal.com, which is in my sources of news because it's shutting down. When I tried to visit it from my home machine, I couldn't get an answer for its IP address. Turning on verbose Unbound logging gave me a great deal of noise, in which I could barely make out that Unbound was able to obtain A and AAAA records but then was going on to try DNSSEC and clearly something was going wrong. Turning of DNSSEC fixed it, once I did it in the right way.

NLNet Labs has a Howto on turning off DNSSEC in Unbound that provides a variety of ways to do this, starting from setting 'val-permissive-mode: yes' all the way up to disabling the validator module. My configuration has had permissive mode set to yes for years, but that was apparently not good enough to deal with this situation, so I have now removed the validator module from my Unbound module configuration. In fact I have minimized it compared to the Fedora version.

The Fedora 29 default configuration for Unbound modules is:

module-config: "ipsecmod validator iterator"

I had never heard of 'ipsecmod' before, but it turns out to be 'opportunistic IPSec support', as described in the current documentation for unbound.conf; I will let you read the details there. Although configured as a module in the Fedora version, it is not enabled ('ipsecmod-enabled' is set off); however, I have a low enough opinion of unprompted IPSec to random strangers that I removed the module entirely, just in case. So my new module config is just:

module-config: "iterator"

(Possibly I could take that out too and get better performance.)

In the Fedora Unbound configuration, this can go in a new file in /etc/unbound/local.d. I called my new file 'no-dnssec.conf'.

(There were a variety of frustrating aspects to this experience and I have some opinions on DNSSEC as a whole, but those are for another entry.)

Written on 09 August 2019.
« Non-uniform caches are harder to make work well
One core problem with DNSSEC »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Aug 9 20:56:17 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.