Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.
and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.