Follow up from the previous post.
Quick and dirty howto adapted from instructions found at dnscrypt.org
The first step is to install unbound:
brew install unbound
Next, download the dnssec anchor to /usr/local/etc/unbound/
sudo unbound-anchor -a /usr/local/etc/unbound/root.key
Add the following things in /usr/local/etc/unbound/unbound.conf at the end of the server section. Note that unbound will be running under the nobody account and I’m assuming that dnscrypt-proxy is already running on port 40! For this, you must change the plist of dnscrypt-proxy. See the previous previous post for that.
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key/root.key"
interface: 127.0.0.1
access-control: 127.0.0.1/8 allow
chroot: ""
username: "nobody"
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
Copy the plist config for launchd to /Library/LaunchDeamon:
sudo cp -fv /usr/local/opt/unbound/homebrew.mxcl.unbound.plist /Library/LaunchDaemons
Start unbound:
sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
Test it with:
dig +dnssec . @localhost
You should see something like:
; <<>> DiG 9.8.3-P1 <<>> +dnssec . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44948 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
If the ad flag is there then the response is dnssec validated.
When I try to use unbound-anchor I get a command not found error. It seems like Homebrew doesn’t install this utility (any longer?). If I continue – but remove the anchor-file line from the configuration file – I still see the ad flag when testing with dig, though. Should this work?