Using DNSSEC with unbound

Hey there,

I would like to use DNSSEC with unbound. Indeed, there's the option Enable DNSSEC for unbound in LuCI. If enabled, the additional option DNSSEC NTP Fix appears. From the description and some searching it's not clear to me, if this should be enabled or better not. I couldn't find a note on this in the official unbound documentation.

Furthermore, the documentation refers to unbound-anchor in relation with DNSSEC. Since the checkbox seems to not require this package, I wonder if DNSSEC works without.

In summary, I wonder if there's a OpenWrt-specific procedure or if the official unbound guide should be followed.

There is a readme here:

The NTP fix handles the problem at boot time when time has not yet been synchronized, but DNSSEC really needs valid local time in order to enforce DNSSEC “security”. So if the time is not yet synced when Unbound starts at boot up, it will allow DNSSEC to run temporarily with less-stringent checking of timestamps of signed zones, etc.

Once NTP has succeeded in correcting the router time, it will force Unbound to restart in the more secure DNSSEC mode.

Alright, I didn't read the specific paragraph carefully enough the first time. Basically you just check both options and don't care about the unbound-anchor because a root key/trust anchor is in the right path by default.

Unfortunately DNSSEC is flawed by design resulting in performance, compatibility and fault tolerance related issues.
Some domains just fail to resolve because DNSSEC is configured incorrectly by their admins, and since this feature is not mandatory, they don't even bother fixing it.
Accessing problematic domains requires the client to use opportunistic mode, which makes DNSSEC effectively useless.

So far I had no issues. Is there a way to check if clients use opportunistic mode?

For me, it failed multiple times with some mail servers, online shops, geolocation services, etc.
Be ready to monitor your DNS server logs in verbose mode to identify and mitigate possible issues.
In any case, DNSSEC implementation details should be explained in the upstream Unbound docs.

DNSSEC "problems" are a passive stall to protect revenue. Many host providers are related to certificate authorities, through some direct or indirect ownership profile as they see fit. Note, host providers may be just resellers dependent on a much larger host company policies. Certificate management and wholesale certificate leakage (see below) are consistent revenue. DNSSEC contains a poison pill to that notary-for-cash business. DANE puts the domain owner entirely in control. They merely need their registrar to push their DS (DNSKEY) record. Its not a big leap to see why your host provider (or their parent or resale partner) makes this hard for a business.

Most notably, in 2018, Symantec, after a series of failures (including allowing unauthorised access to CA resources and a lack of audits) was distrusted by Google. This meant that sites with Symantec’s certificates would no longer be accessible on Chrome.

1 Like