Summary: | dns/dnscrypt-proxy2: Instructions for using together with unbound are lacking | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Erik Nordstrøm <erik> | ||||||
Component: | Individual Port(s) | Assignee: | Danilo G. Baio <dbaio> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | dbaio, egypcio | ||||||
Priority: | --- | Flags: | egypcio:
maintainer-feedback+
|
||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
Erik Nordstrøm
2018-03-31 01:00:48 UTC
Comment these two lines and try it again, please: #include: /var/unbound/lan-zones.conf #include: /var/unbound/conf.d/*.conf -------------------------------------------------------- $ cat unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key interface: 127.0.0.1 do-not-query-localhost: no include: /var/unbound/forward.conf #include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf #include: /var/unbound/conf.d/*.conf $ cat forward.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. forward-zone: name: . forward-addr: 127.0.0.1@5353 This port was tested with unbound from ports. The local_unbound come with DNSSEC by default. [1522499703] unbound[60108:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass [1522499703] unbound[60108:0] info: validator operate: query netbsd.org. A IN [1522499703] unbound[60108:0] info: Could not establish a chain of trust to keys for org. DNSKEY IN You should comment `auto-trust-anchor-file ...` line or config dnscrypt-proxy to use servers with DNSSEC only. The instructions in pkg-message should be upgraded. One idea is to add this to the pkg-message: If you are using local_unbound, DNSSEC is enabled by default and you should comment "auto-trust-anchor-file ..." line or change dnscrypt-proxy to use servers with DNSSEC support only. Any other suggestion? (In reply to Danilo G. Baio from comment #3) Configuring dnscrypt-proxy2 to require DNSSEC makes it work like you said. I agree with your proposed change of pkg-message, that would solve the concern of this problem report. Created attachment 192105 [details]
dns/dnscrypt-proxy2: instructions for using together with unbound, r466217
Thank you! Patch is attached.
Created attachment 192370 [details] dns/dnscrypt-proxy2: instructions for using together with unbound, r466876 https://reviews.freebsd.org/D15024 again, tyvm for reporting it! very appreciated. A commit references this bug: Author: dbaio Date: Wed Apr 18 02:25:49 UTC 2018 New revision: 467667 URL: https://svnweb.freebsd.org/changeset/ports/467667 Log: dns/dnscrypt-proxy2: Update to 2.0.10 Main changes in the port: - Improve instructions for using dnscrypt-proxy2 together with unbound. [1] - Add dnscrypt_proxy_suexec option for users who want to run the daemon as root. - Move the configuration file from ${PREFIX}/etc/dnscrypt-proxy.toml to ${PREFIX}/etc/dnscrypt-proxy/dnscrypt-proxy.toml, because by default temporary files will use the path of the config file. This fixes a permission issue when fetching the public resolvers list. Changes: https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/2.0.10/ChangeLog PR: 227129 [1] Submitted by: egypcio@googlemail.com (maintainer) Reported by: erik@nordstroem.no [1] Differential Revision: https://reviews.freebsd.org/D15024 Changes: head/UPDATING head/dns/dnscrypt-proxy2/Makefile head/dns/dnscrypt-proxy2/distinfo head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in head/dns/dnscrypt-proxy2/files/pkg-message.in head/dns/dnscrypt-proxy2/pkg-message head/dns/dnscrypt-proxy2/pkg-plist Committed, thanks! |