From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Unbound is a validating, recursive, caching DNS resolver.


USE flags

USE flags for net-dns/unbound A validating, recursive and caching DNS resolver

debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
dnscrypt Enable DNSCrypt support
dnstap Enable dnstap support
ecdsa Enable ECDSA support
ecs Enable EDNS client subnet support
gost Enable GOST support
http2 Enable HTTP/2 support for DoHnet-libs/nghttp2
python Add optional support/bindings for the Python language
redis Enable cache db backend which usesdev-libs/hiredis
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
static-libs Build static versions of dynamic libraries as well
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
tfo Enable TCP Fast Open client+server
threads Add threads support for various packages. Usually pthreads
verify-sig Verify upstream signatures on distfiles


root #emerge --ask net-dns/unbound

Additional software

For testing DNS resolving, use dig part of the net-dns/bind-tools package.



  • /etc/unbound/unbound.conf - Global (system wide) configuration file.

DNSSEC Configuration

To be able to use dnssec validation, a trust anchor (file) needs to be created and pointed to from the unbound configuration file.

One can use the unbound-anchor tool that comes with the unbound install to create the initial trust anchor, BUT as indicated in the manual, this is at your own risk and you MUST validate the trust anchor thus created. Please see unbound documentation for details.

Alternative the anchor can be found in the root zone file than can be downloaded at https://www.internic.net/domain/root.zone and searching for DNSKEY. Again care is need to validate this is indeed the correct public key.

As of May 2022, as an example ONLY (please don't use unless it has verified it by other means), this is what was found looking in the root.zone file.

. IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixH lFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm +2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

Once created the anchor will need regular updates, this can be done by setting (in the configuration file) automatic updates. Thus uses the unbound-anchor tool to refresh the trust anchor file.

Assuming the file is named /etc/unbound/var/dnssec-trust-anchors.key...

FILE /etc/unbound/unbound.conf


     auto-trust-anchor-file: "/etc/unbound/var/dnssec-trust-anchors.key"



root #rc-update add unbound
root #rc-service unbound start



root #emerge --ask --depclean --verbose net-dns/unbound