# unbound (package) and trust-anchor



## rainer_d (Mar 27, 2017)

Hi,

When unbound (1.6.0 on 11-amd64) tries to fetch its trust-anchor, it contacts the root-servers.

In my setup, I need it to go through my upstream-caches (no other IPs permitted).

I've configured forwarders in an include-file - but these seem to be ignored for the trust-anchor initialization. They work for normal queries.

How is this supposed to be done?


----------



## rainer_d (Mar 27, 2017)

Yes, this is what I have:


```
include: /usr/local/etc/unbound/forward.conf
```



```
forward-zone:
   name: .
   forward-addr: a.a.a.a
   forward-addr: b.b.b.b
```

The forward-first thing is a default, according to the documentation.


----------



## rainer_d (Mar 27, 2017)

Yes, only queries to the upstream-caches are allowed (firewall).
I can see in the ktrace output that it contacts the root-servers.


----------



## rainer_d (Mar 27, 2017)

No, that's not an option.
I am the admin. These central upstream caches are going to be our choke-points for DNS-traffic. It's currently way too easy to create hidden data channels via DNS (used by APT-style trojans).


----------



## rainer_d (Mar 28, 2017)

This is what is needed:

```
unbound_anchorflags="-C /usr/local/etc/unbound/unbound.conf"
```

Then it uses my forwarders.


----------

