Unbound is a validating, recursive, caching DNS resolver.
USE flags for net-dns/unbound A validating, recursive and caching DNS resolver
||Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces|
||Enable DNSCrypt support|
||Enable dnstap support|
||Enable ECDSA support|
||Enable EDNS client subnet support|
||Enable GOST support|
||Enable HTTP/2 support for DoHnet-libs/nghttp2|
||Add optional support/bindings for the Python language|
||Enable cache db backend which usesdev-libs/hiredis|
||!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur|
||Build static versions of dynamic libraries as well|
||Enable use of systemd-specific libraries and features like socket activation or session tracking|
||Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)|
||Enable TCP Fast Open client+server|
||Add threads support for various packages. Usually pthreads|
||Verify upstream signatures on distfiles|
emerge --ask net-dns/unbound
For testing DNS resolving use dig part of the net-ds/bind-tools.
- /etc/unbound/unbound.conf - Global (system wide) configuration file.
To be able to use dnssec validation, a trust anchor (file) needs to be created and pointed to from the unbound configuration file.
One can use the unbound-anchor tool that comes with the unbound install to create the initial trust anchor, BUT as indicated in the manual, this is at your own risk and you MUST validate the trust anchor thus created. Please see unbound documentation for details.
Alternative the anchor can be found in the root zone file than can be downloaded at https://www.internic.net/domain/root.zone and searching for DNSKEY. Again care is need to validate this is indeed the correct public key.
As of May 2022, as an example ONLY (please don't use unless it has verified it by other means), this is what was found looking in the root.zone file.
. IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixH lFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm +2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
Once created the anchor will need regular updates, this can be done by setting (in the configuration file) automatic updates. Thus uses the unbound-anchor tool to refresh the trust anchor file.
Assuming the file is named /etc/unbound/var/dnssec-trust-anchors.key...
... server: ... auto-trust-anchor-file: "/etc/unbound/var/dnssec-trust-anchors.key"
rc-update add unbound
rc-service unbound start
When X happens, Y is how to fix it.
emerge --ask --depclean --verbose net-dns/unbound