DNSsec resolver test failed

[redschumi]

did a resolver test with your docker adguard/unbound.
127.0.0.1:5053 is upstream DNS.

resolver test @ dnssec.vs.uni-due.de failed with
„…No, your DNS resolver does NOT validate DNSSEC signatures“

Any chance to fix this?

Thanks in advance.

[lolgast1987]

For DNSSEC to work, you'd have to use a custom unboud.conf as this is not enabled by default
https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/

[redschumi]

thanks for your info.can you give an advice how to do that
in your container?

Or is there a chance that you implement this directly?

[hat3ph]

I try to enable DNSSEC but everytime I enable auto-trust-anchor-file, the unbound service failed in docker.
As you can see when I log in to the container and run the process, unbound is not running. Any idea?

Mem: 846924K used, 142940K free, 1964K shrd, 21380K buff, 545236K cached
CPU:   0% usr   0% sys   0% nic 100% idle   0% io   0% irq   0% sirq
Load average: 0.05 0.01 0.00 2/256 37
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
   10     1 root     S     730m  75%   1   0% /opt/adguardhome/AdGuardHome -c /opt/adguardhome/conf/AdGuardHome.yaml -w /opt/adguardho   20     0 root     S     1664   0%   1   0% sh
    1     0 root     S     1596   0%   0   0% {entrypoint.sh} /bin/ash /opt/entrypoint.sh
   37    20 root     R     1596   0%   0   0% top
/opt/adguardhome/work # netstat -tulpa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:36743        0.0.0.0:*               LISTEN      -
tcp        0      0 :::http                 :::*                    LISTEN      10/AdGuardHome
tcp        0      0 :::domain               :::*                    LISTEN      10/AdGuardHome
udp        0      0 127.0.0.11:57253        0.0.0.0:*                           -
udp        0      0 :::domain               :::*                                10/AdGuardHome

docker-compose.yml

version: "3"

services:
  adguard-unbound:
    container_name: adguard-unbound
    image: lolgast/adguard-unbound
    restart: unless-stopped
    hostname: adguard-unbound
    # Volumes store your data between container upgrades
    volumes:
      - "./adguard/opt-adguard-work:/opt/adguardhome/work"
      - "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
      - "./unbound:/opt/unbound"
      #- "/usr/share/dns:/usr/share/dns:rw"
      - "/usr/share/dns/root.hints:/opt/unbound/root.hints"
      - "/usr/share/dns/root.key:/opt/unbound/root.key"
    ports:
      - 53:53/tcp # AdGuard Home DNS connection
      - 53:53/udp # AdGuard Home DNS connection
      - 3000:3000/tcp # AdGuard Home web panel
      - 80:80/tcp # AdGuard Home web panel HTTP
      #- 443:443/tcp # AdGuard Home web panel HTTPS
      #- 784:784/udp # AdGuard Home DNS-over-QUIC service
      #- 853:853/tcp # AdGuard Home DNS-over-TLS/QUIC service
      #- 67:67/udp # DHCP server
      #- 68:68/udp # DHCP server
      #- 5053:5053/tcp # Unbound DNS connection
      #- 5053:5053/udp # Unbound DNS connection

unbound.conf

server:
        # if no logfile is specified, syslog is used
        # logfile: "/var/log/unbound/unbound.log"
        verbosity: 2
        logfile: "/opt/unbound/unbound.log"
        #log-time-ascii: yes

        interface: 0.0.0.0
        port: 5053
        do-ip4: yes
        do-udp: yes
        do-tcp: yes

        # May be set to yes if you have IPv6 connectivity
        do-ip6: no

        # You want to leave this to no unless you have "native" IPv6. With 6to4 and
        # Terredo tunnels your web browser should favor IPv4 for the same reasons
        prefer-ip6: no

        # File with trust anchor for  one  zone, which is tracked with RFC5011
        # probes.
        # Get the root hint and anchor key from dns-root-data package
        root-hints: "/opt/unbound/root.hints"
        auto-trust-anchor-file: "/opt/unbound/root.key"
        #auto-trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"

        #chroot: "/opt/unbound"
        #directory: "/opt/unbound/"

        # Trust glue only if it is within the server's authority
        harden-glue: yes

        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
        harden-dnssec-stripped: yes

        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
        # see https://discourse.pi-hole.net/unbound-stubby-or-dnscrypt-proxy/9378 for further details
        use-caps-for-id: no

        # Reduce EDNS reassembly buffer size.
        # Suggested by unbound man page to reduce fragmentation reassembly problems
        edns-buffer-size: 1472

        # Perform prefetching of close to expired message cache entries
        # This only applies to domains that have been frequently queried
        prefetch: yes

        # One thread should be sufficient, can be increased on beefy machines. In reality for most
        # users running on small networks or on a single machine, it should be unnecessary to
        # seek performance enhancement by increasing num-threads above 1.
        num-threads: 1

        # Ensure kernel buffer is large enough to not lose messages in traffic spikes
        #so-rcvbuf: 1m
        so-rcvbuf: 0

        # Ensure privacy of local IP ranges
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: 172.16.0.0/12
        private-address: 10.0.0.0/8
        private-address: fd00::/8
        private-address: fe00::/10

        hide-identity: yes
        hide-version: yes

        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        #access-control: 127.0.0.1/32 allow
        #access-control: 192.168.0.0/16 allow
        #access-control: 172.16.0.0/12 allow
        #access-control: 10.0.0.0/8 allow

        # ssl cert
        #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

        #forward-zone:
        #       name: "."
        #       forward-addr: 1.1.1.1@853#cloudflare-dns.com
        #       forward-addr: 1.0.0.1@853#cloudflare-dns.com
        #       forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        #       forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        #       forward-tls-upstream: yes

[hat3ph]

Ok. The problem is unbound do not have permission to access the root.key and root.hints.
Fix it by run unbound as root.

https://github.com/hat3ph/docker-adguard-unbound