# unbound not working



## hdc (Sep 19, 2017)

Hello

I followed very simple steps to setup unbound but that is not working. My FreeBSD version is 11.0-RELEASE-p12.

At first this was the resolv.conf before unbound started:


```
$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 8.8.8.8
nameserver 8.8.4.4
```

I start the unbound by service:


```
$ service local_unbound start
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
original /etc/resolv.conf saved as /etc/resolv.conf.20170919.121929
Starting local_unbound.
```

The service running well, but that is not working.


```
$ ping google.com
ping: cannot resolve google.com: Host name lookup failure
```

I am not sure if that is some problem from DNSSEC:


```
$ drill -S freebsd.org           
;; Number of trusted keys: 1
;; Chasing: freebsd.org. A


DNSSEC Trust tree:
freebsd.org. (A)
|---freebsd.org. (DNSKEY keytag: 63768 alg: 8 flags: 256)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
```

please help.


----------



## hdc (Sep 20, 2017)

getopt said:


> Unbound does not work out of the box without further configuration. See unbound.conf(5).
> Do not try DNSSEC before you had configured a working Unbound first.
> 
> Check with `# sockstat -l | grep unbound` if and where Unbound is listening. Each clients /etc/resolv.conf needs to match this or DHCP needs to be configured to use this address that is to be configured in unbound.conf.



Thanks, I studied the man page but I can't see anything wrong from the default configurations. The DNS server was configured properly in forward.conf:


```
$ cat forward.conf 
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4
```


the sockstat reports:


```
$ sudo sockstat -l | grep unbound
unbound  unbound    70191 3  udp6   ::1:53                *:*
unbound  unbound    70191 4  tcp6   ::1:53                *:*
unbound  unbound    70191 5  udp4   127.0.0.1:53          *:*
unbound  unbound    70191 6  tcp4   127.0.0.1:53          *:*
unbound  unbound    70191 7  stream /var/run/local_unbound.ctl
```

And I am testing the google.com could not be resolved even in FreeBSD server itself.


----------



## hdc (Sep 21, 2017)

The problem should be from DNSSEC, in case I use this in unbound.conf:


```
module-config:                  "iterator"
```

Which is working fine.

But I still have problem to make it working with DNSSEC. I have created root.hints and the root.key generated by unbound itself, but in `drill -S` seems not successful:


```
$ drill -S freebsd.org @8.8.8.8
;; Number of trusted keys: 1
;; Chasing: freebsd.org. A


DNSSEC Trust tree:
freebsd.org. (A)
|---freebsd.org. (DNSKEY keytag: 63768 alg: 8 flags: 256)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
```

Is there anything I could try to get DNSSEC working?


----------

