Unbound on Apuntes de root

Fix failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

jorti@pm.me (Juan Orti Alcaine) — Mon, 14 Jan 2013 00:00:00 +0000

After installing Unbound in a OpenWrt router, I noticed that afer a reboot, the DNS was not working. I saw many of these errors in the log:

failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

I have discovered that the system date was wrong. As this device lacks a hardware clock, when the machine boots, it cannot synchronize the time by NTP because there is no resolver (Unbound doesn’t start because the date validation of the ICANN certificate fails). It’s a chicken or the egg problem.

Configure Unbound DNSSEC resolver in OpenWrt

jorti@pm.me (Juan Orti Alcaine) — Thu, 20 Dec 2012 00:00:00 +0000

After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.

I choosed to replace dnsmasq for unbound in my OpenWrt router. These are the steps I followed.

First I installed the required packages:

# opkg update # opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host

As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In /etc/config/dhcp