Hi unbound users I am new to dns, new to unbound and new to the list, so please bear with me.
My setup: dedicated machine to run as a caching resolver in my LAN ubuntu server 18.10 unbound 1.7.3 This is my unbound.conf server: # chroot: "/etc/unbound" username: "unbound" directory: "/etc/unbound" port: 53 do-ip4: yes do-ip6: no do-tcp: yes do-udp: no # do-udp: yes tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt interface: 0.0.0.0 interface-automatic: yes access-control: x.y.z.0/24 allow # some private class c net root-hints: "root.hints" prefetch: yes prefetch-key: yes use-caps-for-id: yes statistics-interval: 600 statistics-cumulative: yes hide-identity: yes hide-version: yes verbosity: 2 minimal-responses: yes rrset-roundrobin: yes ssl-upstream: yes forward-zone: name: "." forward-tls-upstream: yes forward-addr: 146.185.167.43@853#dot.securedns.eu forward-addr: 185.49.141.37@853#getdnsapi.net forward-addr: 89.233.43.71@853#unicast.censurfridns.dk According to my configuration I would have expected to have both, DNSSEC and TLS-encryption switched on. The following dig proves this: $ sudo dig de. SOA ; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> de. SOA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19839 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;de. IN SOA ;; ANSWER SECTION: de. 7174 IN SOA f.nic.de. its.denic.de. 2018103033 7200 7200 3600000 7200 ;; Query time: 356 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Di Okt 30 08:32:15 UTC 2018 ;; MSG SIZE rcvd: 83 unbound logs look like that: Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de. SOA IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de. SOA IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.> 146.185.167.43#853 Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response was ANSWER Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DS de. DS IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de. DNSKEY IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de. DNSKEY IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.> 185.49.141.37#853 Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response was ANSWER Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DNSKEY de. DNSKEY IN Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validate(positive): sec_status_secure Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validation success de. SOA IN This is what I had expected. However, most of the time my logs show lines like these below for example after a dig like $ sudo dig ubuntuusers.de SOA +dnssec ; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> ubuntuusers.de SOA +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35576 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ubuntuusers.de. IN SOA ;; ANSWER SECTION: ubuntuusers.de. 86294 IN SOA ubuntuusers.de. webmaster.ubuntuusers.de. 2006072320 10000 3600 2419200 1200 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Di Okt 30 08:38:33 UTC 2018 ;; MSG SIZE rcvd: 89 $ This is what unbound logs: Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving ubuntuusers.de. SOA IN Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for ubuntuusers.de. SOA IN Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.> 185.49.141.37#853 Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response was ANSWER Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving ubuntuusers.de. DS IN Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for ubuntuusers.de. DS IN Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.> 146.185.167.43#853 Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response was nodata ANSWER Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the referral proved no DS. Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: Verified that unsigned response is INSECURE To me, this looks like no DNSSEC and maybe no TLS-encryption, though I see the #853s . What is going wrong here? Thanks for your help.
