I have installed 'unbound' and it works nicely on my client (test purpose) - Client is MacBook Air.
I have installed NSD (will be in replacement of BIND) on said client.
All is good but when i try to start NSD
Sorry i forgot to mention that NSD is listening on port 5353
Unbound is listening 53.
One of my main goal is to have unbound talk directly to NSD for authoritative server on 127.0.0.1 only.
For that I understood that unbound and NSD would have to use the same port - Is this correct ?
Nevertheless, i tried the same port "53" but got same error message as mentioned above>
Sorry i forgot to mention that NSD is listening on port 5353
Unbound is listening 53.
One of my main goal is to have unbound talk directly to NSD for
authoritative server on 127.0.0.1 only.
For that I understood that unbound and NSD would have to use the same
port - Is this correct ?
Nevertheless, i tried the same port "53" but got same error message as
mentioned above>
Okay, so you're on a Mac, where port 5353 is already in use by
mDNSResponder. Just configure your NSD to use some other high-numbered port.
@inigo Creating a virtual network on OS X is not an easy task. I do no that you have to go through the GUI to do so. The NIC gets created but does not work with DNS. Was going down the road of ‘tun/tap’ as well as the setup of this server is going to go into a virtual environment. First needs to finish the testing Thanks Anand. That was easily solved:) The error has gone and I now have NSD and Unbound working great. One question though about reverse lookup which is not working with current setup. Any idea what i could change to have the reverse lookup work ? The setup is based on ‘’ and ’ Also i am getting this error Is it safe to disregard? Was reading that it appears to not affect unbound process. I can tell that unbound is still working properly Below is my setup. server: ip-address: 127.0.0.1 port: 56 server-count: 1 hide-version: yes identity: “” username: nsd database: /usr/local/etc/nsd/nsd.db pidfile: /usr/local/etc/nsd.pid zonesdir: /usr/local/etc/nsd key: name: “sec_key” algorithm: hmac-md5 secret: “654c6da8f3b0fd8fe819669daf07996738d21a53c02c731b0aee6373” zone: name: zalloc.lan zonefile: zalloc.lan.forward zone: name: 1.168.192.in-addr.arpa zonefile: zalloc.lan.reverse server: $ORIGIN zalloc.lan. ; default zone domain $TTL 86400 ; default time to live @ IN SOA kagami.zalloc.lan. admin.zalloc.lan. ( 2013010704 ; serial number 28800 ; refresh 7200 ; retry 864000 ; expire 86400 ; min ttl ) NS kagami.zalloc.lan. MX 10 mail.zalloc.lan. router IN A 192.168.1.1 kagami IN A 192.168.1.38 $ORIGIN zalloc.lan. ; default zone domain $TTL 86400 ; default time to live 1.168.192.in-addr.arpa. IN SOA kagami.zalloc.lan. admin.zalloc.lan. ( 2013010704 ; serial number 28800 ; refresh 7200 ; retry 864000 ; expire 86400 ; min ttl 38.1.168.192.in-addr.arpa. IN PTR kagami.zalloc.lan. 1.1.168.192.in-addr.arpa. IN PTR router.zalloc.lan. Unbound Set Up: server: verbosity: 3 val-log-level: 2 interface: 127.0.0.1 access-control: 127.0.0.1/8 allow access-control: 192.168.1.0/24 allow interface-automatic: no module-config: “validator iterator” chroot: “” port: 53 do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes use-caps-for-id: yes cache-min-ttl: 3600 cache-max-ttl: 86400 prefetch: yes prefetch-key: yes num-threads: 4 root-hints: “/usr/local/etc/unbound/root.hints” #### OPTIMIZATION #### msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 rrset-cache-size: 256m msg-cache-size: 128m so-rcvbuf: 4m private-address: 192.168.1.0/24 private-domain: “zalloc.lan” domain-insecure: “zalloc.lan” unwanted-reply-threshold: 10000 do-not-query-localhost: no val-clean-additional: yes auto-trust-anchor-file: “/usr/local/etc/unbound/root.key” local-zone: “doubleclick.net” redirect local-data: “doubleclick.net A 127.0.0.1” local-zone: “googlesyndication.com” redirect local-data: “googlesyndication.com A 127.0.0.1” local-zone: “googleadservices.com” redirect local-data: “googleadservices.com A 127.0.0.1” local-zone: “google-analytics.com” redirect local-data: “google-analytics.com A 127.0.0.1” local-zone: “ads.youtube.com” redirect local-data: “ads.youtube.com A 127.0.0.1” local-zone: “adserver.yahoo.com” redirect local-data: “adserver.yahoo.com A 127.0.0.1” # 127.0.0.1 local-zone: “localhost.” static local-data: “localhost. 10800 IN NS localhost.” local-data: “localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800” local-data: “localhost. 10800 IN A 127.0.0.1” local-zone: “127.in-addr.arpa.” static local-data: “127.in-addr.arpa. 10800 IN NS localhost.” local-data: “127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800” local-data: “1.0.0.127.in-addr.arpa. 10800 IN PTR localhost” # Local Zones local-zone: “192.in-addr.arpa.” typetransparent forward-zone: name: “zalloc.lan” forward-zone: name: “192.in-addr.arpa.” remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8953 server-key-file: “/usr/local/cellar/unbound/1.4.20/etc/unbound/unbound_server.key” server-cert-file: “/usr/local/cellar/unbound/1.4.20/etc/unbound/unbound_server.pem” control-key-file: “/usr/local/cellar/unbound/1.4.20/etc/unbound/unbound_control.key” control-cert-file: “/usr/local/cellar/unbound/1.4.20/etc/unbound/unbound_control.pem”
Also i am getting this error
10/07/2013 14:03:12.523 unbound[705]: [705:0] error: could not open autotrust file for writing, /usr/local/etc/unbound/root.key.705-0: Permission denied
Is it safe to disregard? Was reading that it appears to not affect unbound process. I can tell that unbound is still working properly
This looks like it is downloading the root key for DNS and attempting to pin it by storing it into the filesystem. You do want that, or you will be vulnerable to arbitrary DNSKEYs being claimed for . (the DNS root) which is probably not in line with the ideas you had when you rolled out DNSSEC.
You should probably find some evidence to the root key stored here as well. A few hints are your OS might provide it by now, or you could look for signatures by people you rely on.
You can make unbound or nsd listen on another IP address or port. But
clearly if you use unbound for resolving, you cannot replace it with
nsd, as your resolving would break.
If you want to use nsd to host some domains, and use unbound for
resolving the normal way with a special forward to those nsd domains,
you should run nsd on another port like 5353 and configure unbound
forward zones to point to 127.0.0.1@5353 for those zones.
If you want to use nsd to host some domains, and use unbound for
resolving the normal way with a special forward to those nsd domains,
you should run nsd on another port like 5353 and configure unbound
forward zones to point to 127.0.0.1@5353 for those zones.
As Anand has already has pointed out on the Mac port 5353 is likely to be
used buy mdns. Nowadays, it is even documented as a port reserved for this
purpose:
grep 5353 /etc/services
mdns 5353/tcp #Multicast DNS
mdns 5353/udp #Multicast DNS
(This is on a FreeBSD machine)
The same file suggests:
# The Dynamic and/or Private Ports are those from 49152 through 65535
so pick one in that range to be on the safe side.
The same file suggests:
# The Dynamic and/or Private Ports are those from 49152 through 65535
so pick one in that range to be on the safe side.
Hmm, these are the so-called ephemeral ports, which are automatically assigned, pretty much at random, if you don't bind to a local port before you make an outbound connection. It's a bit strange to be picking a port in that range for a server process. I would go for the range up to 49152 since those are fixated. You'd have to accept that 5353 has been taken, but at least any problems claiming a port are always the same and not something you would resolve with trying again or rebooting. Let's not turn UNIX into Windows, shall we?
I know Rick answered me once already on this: But the fact that i validate DNSSEC with known good RRSIG would that mean its safe to ignore ? I think I did not quite get the meaning of the answer from Rick. My apologies for that
The unbound daemon is trying to download the trust anchor for the entire Internet. You are not permitting it to save that. I suppose it will continue to work with a memory-stored version, but it'll be risky every time you restart Unbound, because at that time it probably accepts whatever is offered at that time. Normally, it would find the root key among its configuration files and have a solid anchor point.
You should download it manually, verify it, and install it in /usr/local/etc/unbound/root.key. I'm including my file below, but of course you should seriously wonder if I can be trusted… a few other links are here, but I also have write access there so it hardly adds trust.
fixed the issue :' could not open autotrust file for writing, /usr/local/etc/unbound/root.key.705-0: Permission denied'
change owner to _unbound and 'chmod g+x' on root.key
i now have ' -rw-rw-r-- 1 _unbound admin 759 10 Jul 13:20 root.key' - Would that be the correct permissions set ?
Thanks Rick
Thanks for all the help - was quite an experience compiling and installing Unbound and NSD on OSX
Will start deep testing now.
Thanks Anand. That was easily solved:) The error has gone and I now have NSD and Unbound working great. One question though about reverse lookup which is not working with current setup. Any idea what i could change to have the reverse lookup work ? The setup is based on ‘’ and ’ Also i am getting this error Is it safe to disregard? Was reading that it appears to not affect unbound process. I can tell that unbound is still working properly 
