* I have unbound -> dnscrypt-proxy running in a jail. * In the jail's rc.conf, I have local_unbound_enable="YES" dnscrypt_proxy_flags="-d -a 127.0.0.1:9040 -R dnscrypt.eu-nl" dnscrypt_proxy_enable="YES" * When the jail starts with DNSSEC enabled in unbound.conf, all DNS lookups fail due to validation. This means, lookups succeed, but validations fail with messages like: rrset failed to verify due to a lack of signatures Failed to match any usable anchor to a DNSKEY. autotrust: validate DNSKEY with anchor: sec_status_bogus autotrust: dnskey did not verify. autotrust: write to disk: /var/unbound/root.key.3269-0 autotrust: replaced /var/unbound/root.key rrset failed to verify due to a lack of signatures Failed to match any usable anchor to a DNSKEY. validate keys with anchor(DS): sec_status_bogus failed to prime trust anchor -- DNSKEY rrset is not secure * THE SOLUTION: When the jail starts, "# jexec dns-jail csh" (chroot to jail), kill dnscrypt-proxy and unbound, then resart with dns-jail#> unbound dns-jail#> dnscrypt-proxy -d -a 127.0.0.1:port -R <resolver> --NOTES-- * The above is valid for unbound from ports AND from src (base) * Modifying rc.d/unbound as suggested in bug report does not solve the issue https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194975 * Other info on the topic here: https://github.com/jedisct1/dnscrypt-proxy/issues/161#issuecomment-62744087
Maintainer CC'd
Now using dnscrypt-proxy-1.4.0_5, and have modified the jail's etc/rc.conf as: local_unbound_enable="YES" dnscrypt_proxy_enable="YES" dnscrypt_proxy_resolver="dnscrypt.eu-nl" dnscrypt_proxy_flags="-a 127.0.0.1:9040" Using the new knob "dnscrypt_proxy_resolver" solves the issue. All services start working at jail startup. DNSSEC validation working.