Turning off DNSSEC in my Unbound instances
It has been '0' days since DNSSEC caused DNS resolution for perfectly good DNS names to fail on my machine. Time to turn DNSSEC validation off, which I should have done long ago.
I use Unbound on my machines, from the Fedora package, so this is not some questionable local resolver implementation getting things wrong; this is a genuine DNSSEC issue. In my case, it was for www.linuxjournal.com, which is in my sources of news because it's shutting down. When I tried to visit it from my home machine, I couldn't get an answer for its IP address. Turning on verbose Unbound logging gave me a great deal of noise, in which I could barely make out that Unbound was able to obtain A and AAAA records but then was going on to try DNSSEC and clearly something was going wrong. Turning of DNSSEC fixed it, once I did it in the right way.
NLNet Labs has a Howto on turning off DNSSEC in Unbound that
provides a variety of ways to do this, starting from setting
val-permissive-mode: yes' all the way up to disabling the validator
module. My configuration has had permissive mode set to yes for years,
but that was apparently not good enough to deal with this situation,
so I have now removed the validator module from my Unbound module
configuration. In fact I have minimized it compared to the Fedora
The Fedora 29 default configuration for Unbound modules is:
module-config: "ipsecmod validator iterator"
I had never heard of 'ipsecmod' before, but it turns out to be
'opportunistic IPSec support', as described in the current
unbound.conf; I will
let you read the details there. Although configured as a module in
the Fedora version, it is not enabled ('ipsecmod-enabled' is set
off); however, I have a low enough opinion of unprompted IPSec to
random strangers that I removed the module entirely, just in case.
So my new module config is just:
(Possibly I could take that out too and get better performance.)
In the Fedora Unbound configuration, this can go in a new file in
/etc/unbound/local.d. I called my new file '
(There were a variety of frustrating aspects to this experience and I have some opinions on DNSSEC as a whole, but those are for another entry.)