Friday, June 5, 2015

Configuring OpenBSD 6.1 KVM for static route external to egress subnet

So, I provisioned a{nother} small OpenBSD KVM server online recently and was handed a /32 IP address (no extended subnet) and a default route that would have required a /5 (248.0.0.0) to correctly operate -- such great planning on the part of the hosting provider. Meh.  I'm no stranger to odd routing practices, so I realize (and hope) I'm not alone when I complain about interface-based routing tables jacking things up.

Here's how it's accomplished within OpenBSD for the curious blogosphere.  In
/etc/hostname.vio0 (or /etc/hostname.em0, or whatever your interface is):

inet your.ip.address 255.255.255.255
!route add -inet your.default.gateway -llinfo -link -static -iface vio0

And, then in /etc/mygate:
your.default.gateway

This will allow your virtual machine to communicate with the external world.  I hope this helps someone out there!

Sunday, May 10, 2015

Configuring TLS/SSL on OpenBSD 5.7's httpd

This isn't so difficult - the relayd-based httpd server is not just a step in the right direction, it's a leap.  It contains 99% of the features you need with 1% of the bloat, and it "just works".  Here's a quick primer on how to get TLS/SSL operational with your own self-signed certificate.

Edit /etc/httpd.conf:

ext_addr="*"
server "default" {
        listen on $ext_addr port 80
        listen on $ext_addr tls port 443
        root "/htdocs"
        tls {
                certificate "/etc/ssl/server.crt"
                key "/etc/ssl/private/server.key"
        }
}

Then generate your own key and certificate...


# openssl genrsa -out /etc/ssl/private/server.key


Generating RSA private key, 2048 bit long modulus.......+++.........+++e is 65537 (0x10001)

# openssl req -new -x509 -key /etc/ssl/private/server.key -out /etc/ssl/server.crt -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:198.18.18.198
Email Address []:

Finally, reload httpd..


# /etc/rc.d/httpd -f restart
httpd(ok)
httpd(ok)

Naturally, your certificate won't be trusted because it was self-signed.  You can also generate a certificate signing request and send it off to your certificate authority, at which point (once you pay), they'll return a cert.  But, you get the idea!

Wednesday, May 6, 2015

Configuring OpenBSD 6.1 default unbound with dnscrypt/DNSSEC to encrypt round-robin outbound DNS lookups/queries

I'm not a paranoiac, and I certainly don't feel inclined to /hide/ from anyone, but that's not a reason not to protect my DNS queries from a simple snoop by unscrupulous ISPs.  I simply prefer good network topology and security to convenience.  With OpenBSD, I can have both security AND convenience with only a minimal amount of fuss.  Why use anything else?

There are some caveats here, but the scope of those is beyond the point of this writing.

First, you'll need to install dnscrypt-proxy.  If you don't have PKG_PATH defined, you can simply pull it directly like this:


pkg_add -v http://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/dnscrypt-proxy

If you find you want the latest version of dnscrypt-proxy (1.9.4 as of this writing), follow this script:

# groupadd -g 688 _dnscrypt-proxy
# useradd -g _dnscrypt-proxy -s /sbin/nologin -u 688 -d /var/empty -c "dnscrypt-proxy user" -L daemon _dnscrypt-proxy
# cd /tmp
# ftp https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.9.4.tar.gz
# tar -zxvpf dnscrypt-proxy-1.9.4.tar.gz
# cd dnscrypt-proxy-1.9.4
# ./configure
# make
# make install

Next, you'll need to decide which DNS server you'd like to use.  A CSV list can be found in /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv.  For the sake of this discussion, I'm going to use the first one in the list, adamas. (No particular reason, it was simply first)

Next, start dnscrypt-proxy as user _dnscrypt-proxy (automatically added via pkg installation or script above) with the following command:

/usr/local/sbin/dnscrypt-proxy -l /var/log/dnscrypt-proxy.log -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas

This will allow us to monitor /var/log/dnscrypt-proxy.log for errors during the testing sequences.  Once any errors have been located and resolved, you can switch the -l to /dev/null.  Personally, I prefer to keep a log file, but that's your decision to make.

Now edit the default unbound configuration at /var/unbound/etc/unbound.conf, you'll obviously need to change your local interface IP if you plan to allow the rest of your network to access it.  Mine is 172.16.18.1/24.

server:
    interface: 172.16.18.1
    interface: 127.0.0.1
    access-control: 172.16.18.0/24 allow
    do-not-query-localhost: no
    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-addr: 127.0.0.1@54

Edit your /etc/resolv.conf to point to 127.0.0.1, then start unbound (/etc/rc.d/unbound -f).

To test, I use tcpdump to examine outbound packets on port 5678 (you'll need to examine the line in the CSV file mentioned above to find the correct port).  If you make a DNS request, and see traffic on that port to the server listed in the /var/log/dnscrypt-proxy.log, you're probably set. (as long as the request returns a valid lookup, naturally!)

[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2014-10-32] to [2015-10-32]
[INFO] Server key fingerprint is 5499:C1EE:97DD:889A:AD9E:C59B:80BD:365A:B38D:B125:25B5:5896:9CE0:5881:7792:8237

[NOTICE] Proxying from 127.0.0.1:54 to 80.90.43.162:5678

You can also monitor /var/log/messages to ensure that unbound started, or at least isn't complaining about one or more of your configuration directives.

To prevent all other outbound DNS queries, a few PF rules might not hurt, but that is, once again, beyond the scope of this unilaterally-focused discussion.

For those who want to round-robin amongst a group of encrypted DNS transports, this is what I've found works well:

Start 6 instances of dnscrypt-proxy, each on lo0 with a unique port:

/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:55 -R opendns
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:56 -R cypherpunk
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:57 -R dnscrypt.org-fr
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:58 -R okturtles
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:59 -R opennic-ca-ns3

Then simply modify your /var/unbound/etc/unbound.conf and list all 6 under the forward-zone as forward-addr you previously configured:

forward-zone:
    name: "."
    forward-addr: 127.0.0.1@54
    forward-addr: 127.0.0.1@55
    forward-addr: 127.0.0.1@56
    forward-addr: 127.0.0.1@57
    forward-addr: 127.0.0.1@58
    forward-addr: 127.0.0.1@59

Reload unbound:

/etc/rc.d/unbound -f reload

To confirm, you can tcpdump on ports 443 and 5678 to see which servers are getting distributed hits.  This should offer a level of redundancy/reliability to the process, as long as unbound remains running.

Enjoy!

Continued... Since I got a few (ha!) replies to this shortly after posting the previous information, I thought I'd go ahead and wrap up a DNSSEC unbound config while I'm at it. 

You'll first need to run /usr/sbin/unbound-anchor, I do it as follows - this MUST be writable by the _unbound user:

# sudo -u _unbound /usr/sbin/unbound-anchor -vvvv -F                                                                                                                                                                                                                                                                                                 
/var/unbound/db/root.key does not exist
debug cert update forced
last successful probe: Fri May  8 21:43:42 2015
the last successful probe is recent
/var/unbound/etc/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
trusted certificates (0/1)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
        Validity
            Not Before: Dec 23 04:19:12 2009 GMT
            Not After : Dec 18 04:19:12 2029 GMT
        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
                    bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
                    9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
                    27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
                    fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
                    22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
                    e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
                    d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
                    e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
                    1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
                    39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
                    ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
                    7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
                    31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
                    9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
                    09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
                    04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
                    85:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
    Signature Algorithm: sha256WithRSAEncryption
         0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
         3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
         c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
         b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
         7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
         9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
         90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
         84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
         98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
         5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
         c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
         1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
         90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
         70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
         e7:40:61:a4
resolved server address 72.21.81.189
resolved server address 2606:2800:11f:bb5:f27:227f:1bbf:a0e
connect to 2606:2800:11f:bb5:f27:227f:1bbf:a0e
connect: No route to host
connect to 72.21.81.189
server SSL certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
        Validity
            Not Before: Oct 22 12:00:01 2013 GMT
            Not After : Dec  8 12:00:00 2015 GMT
        Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:
                    c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:
                    71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:
                    fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:
                    ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:
                    7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:
                    06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:
                    26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:
                    af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:
                    03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:
                    91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:
                    12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:
                    7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:
                    6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:
                    05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:
                    72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:
                    1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:
                    29:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B

            X509v3 Subject Key Identifier: 
                14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51
            X509v3 Subject Alternative Name: 
                DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/sha2-ha-server-g4.crl

                Full Name:
                  URI:http://crl4.digicert.com/sha2-ha-server-g4.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:
         94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:
         0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:
         83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:
         50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:
         8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:
         e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:
         47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:
         8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:
         a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:
         11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:
         0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:
         e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:
         e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:
         55:b0:cd:8c
SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.2
SSL_write: 
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=604800'
header: 'Content-Type: text/xml'
header: 'Date: Sat, 09 May 2015 02:43:43 GMT'
header: 'Etag: "64192-1a2-512c93b68be80"'
header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'
header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'
header: 'Server: ECAcc (dfw/562B)'
header: 'X-Cache: HIT'
header: 'Content-Length: 418'
at 0/418
read 418 data
read data:  3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 54 72 75 73 74 41 6e 63 68 6f 72 20 69 64 3d 22 41 44 34 32 31 36 35 46 2d 33 42 31 41 2d 34 37 37 38 2d 38 46 34 32 2d 44 33 34 41 31 44 34 31 46 44 39 33 22 20 73 6f 75 72 63 65 3d 22 68 74 74 70 3a 2f 2f 64 61 74 61 2e 69 61 6e 61 2e 6f 72 67 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2e 78 6d 6c 22 3e 0a 3c 5a 6f 6e 65 3e 2e 3c 2f 5a 6f 6e 65 3e 0a 3c 4b 65 79 44 69 67 65 73 74 20 69 64 3d 22 4b 6a 71 6d 74 37 76 22 20 76 61 6c 69 64 46 72 6f 6d 3d 22 32 30 31 30 2d 30 37 2d 31 35 54 30 30 3a 30 30 3a 30 30 2b 30 30 3a 30 30 22 3e 0a 3c 4b 65 79 54 61 67 3e 31 39 30 33 36 3c 2f 4b 65 79 54 61 67 3e 0a 3c 41 6c 67 6f 72 69 74 68 6d 3e 38 3c 2f 41 6c 67 6f 72 69 74 68 6d 3e 0a 3c 44 69 67 65 73 74 54 79 70 65 3e 32 3c 2f 44 69 67 65 73 74 54 79 70 65 3e 0a 3c 44 69 67 65 73 74 3e 34 39 41 41 43 31 31 44 37 42 36 46 36 34 34 36 37 30 32 45 35 34 41 31 36 30 37 33 37 31 36 30 37 41 31 41 34 31 38 35 35 32 30 30 46 44 32 43 45 31 43 44 44 45 33 32 46 32 34 45 38 46 42 35 3c 2f 44 69 67 65 73 74 3e 0a 3c 2f 4b 65 79 44 69 67 65 73 74 3e 0a 3c 2f 54 72 75 73 74 41 6e 63 68 6f 72 3e 0a
fetched root-anchors/root-anchors.xml (418 bytes)
connect to 72.21.81.189
server SSL certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
        Validity
            Not Before: Oct 22 12:00:01 2013 GMT
            Not After : Dec  8 12:00:00 2015 GMT
        Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:
                    c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:
                    71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:
                    fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:
                    ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:
                    7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:
                    06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:
                    26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:
                    af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:
                    03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:
                    91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:
                    12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:
                    7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:
                    6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:
                    05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:
                    72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:
                    1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:
                    29:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B

            X509v3 Subject Key Identifier: 
                14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51
            X509v3 Subject Alternative Name: 
                DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/sha2-ha-server-g4.crl

                Full Name:
                  URI:http://crl4.digicert.com/sha2-ha-server-g4.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:
         94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:
         0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:
         83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:
         50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:
         8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:
         e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:
         47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:
         8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:
         a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:
         11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:
         0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:
         e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:
         e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:
         55:b0:cd:8c
SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.2
SSL_write: 
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=604800'
header: 'Content-Type: text/plain; charset=UTF-8'
header: 'Date: Sat, 09 May 2015 02:43:43 GMT'
header: 'Etag: "64191-1389-512c93b68be80"'
header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'
header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'
header: 'Server: ECAcc (dfw/56D0)'
header: 'X-Cache: HIT'
header: 'Content-Length: 5001'
at 0/5001
at 4095/5001
read 5001 data
read data:  30 82 13 85 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 13 76 30 82 13 72 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 0b 06 09 2a 86 48 86 f7 0d 01 07 01 a0 82 11 44 30 82 03 6d 30 82 02 55 a0 03 02 01 02 02 01 06 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 1e 17 0d 31 34 30 36 31 31 31 38 34 33 33 32 5a 17 0d 31 37 30 36 31 30 31 38 34 33 33 32 5a 30 4a 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 0c 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 31 1e 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a5 2b f7 9a d8 9c 48 a6 d8 bb f3 7c db f5 4e 9d 44 19 ce 23 9f 7f 65 81 0a c6 b3 05 32 ec f5 9c cd 61 34 c0 75 dd 8d ce 0b 52 4c f4 08 bd 3c c5 a4 c8 13 a6 70 93 92 0f ca 40 cd 8b 61 03 d2 79 2e ff 17 74 ba 6d b4 20 f0 be 9f 89 15 49 6d 45 69 dc a7 d3 7b eb 82 23 12 d8 c4 7f 57 11 6a c0 a7 ef 96 18 e6 7c 3c 1d b5 23 ce fe 72 dd bb fb ec d4 62 50 4a 73 32 b6 f4 9f bc 12 b3 21 c5 62 78 eb b0 5c 32 db 8f 83 b7 87 b6 db 26 d3 ca 9a 0c 4a ce d1 42 1f 7c ec ad 32 d1 fc ac d9 7c c5 90 03 3d a9 3c 73 ed 45 d9 15 b1 7e 5d 4c 83 44 b1 98 4a 54 ad 3a fd d4 da 08 7c a2 c6 51 b1 36 75 6e 6f 8f 0e 88 f5 12 64 3f 6b 19 31 57 55 75 ad 7d bc 8a 92 07 98 06 d6 ad ff 68 54 1e de af d6 9e 61 f5 a7 c0 51 77 fe 76 eb 81 bd a0 1a 5e 9c 68 d8 e5 3a 28 c0 50 cb cb 98 4f f5 ac e9 49 02 03 01 00 01 a3 7f 30 7d 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 00 a0 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 04 06 08 2b 06 01 05 05 07 03 02 30 1f 06 03 55 1d 23 04 18 30 16 80 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 1d 06 03 55 1d 0e 04 16 04 14 a6 3a 41 2f a5 69 a4 95 7c 9b 1f 7d 4f 60 c9 ea 95 94 cf eb 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f b8 90 03 78 a9 45 49 81 e5 49 18 58 92 91 e6 84 59 54 3a 81 8f a2 d8 1b 20 a7 17 29 3d ee 55 f2 8d 05 20 3a e3 3e 49 ee 7a a7 52 be e1 47 ec 31 77 8e 24 bf 51 93 b3 5b 4c 2c 29 41 53 6f 9c 35 2c aa fe 6f 88 3b 0e 5d 4a b1 bb e7 1c 04 64 a9 ad d4 e1 26 f8 57 b2 df 4b 6f b9 c3 fd 16 7a 40 34 f9 1c 54 f1 42 5f 06 8c 97 1d c7 4d c9 22 d1 fe ab 8b 7d 12 ab b5 04 91 af f1 f9 4a 96 d9 0c 56 31 44 8a 10 dc f2 b2 45 60 52 27 79 b8 31 81 d6 9d 04 09 3c 44 a9 37 57 c6 87 c1 e3 98 23 be 77 01 27 70 af d3 32 0b 48 a6 dc 00 ec c9 ea 04 f7 e6 45 17 05 f5 36 00 4d b7 a1 df 0d da 15 f8 3d c2 0c d8 ba 8c ec 76 89 9a 9b 8f 2f 18 28 2e af a3 57 e9 ee 99 d7 0a cf d5 a0 2d 5b f5 18 82 42 c4 48 d5 7e d3 08 2a 07 08 51 d3 ff 6c f1 d3 42 0e c7 8e b1 89 ee ff 26 d3 59 76 cb ab af 30 82 03 77 30 82 02 5f a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 30 39 31 32 32 33 30 34 31 39 31 32 5a 17 0d 32 39 31 32 31 38 30 34 31 39 31 32 5a 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a0 db 70 b8 4f 34 da 9c d4 d0 7e bb ea 15 bc e9 c9 11 2a 1f 61 2f 6a b9 bd 3f 3d 76 a0 9a 0a f7 ee 93 6e 6e 55 53 84 8c f2 2c f1 82 27 c8 0f 9a cf 52 1b 54 da 28 d2 2c 30 8e dd fb 92 20 33 2d d6 c8 f1 0e 10 21 88 71 fa 84 22 4b 5d 47 56 16 7c 9b 9f 5d c3 11 79 9c 14 e2 ff c0 74 ac dd 39 d7 e0 38 d8 b0 73 aa fb d1 db 84 af 52 22 a8 f6 d5 9b 94 f4 e6 5d 5e e8 3f 87 90 0b c7 1a 77 f5 2e d3 8f 1a ce 02 1d 07 69 21 47 32 da 46 ae 00 4c b6 a5 a2 9c 39 c1 c0 4a f6 d3 1c ae d3 6d bb c7 18 f0 7e ed f6 80 ce d0 01 2e 89 de 12 ba ee 11 cb a6 7a d7 0d 7c f3 08 8d 72 9d bf 55 75 13 70 bb 31 22 4a cb e8 c0 aa a4 09 aa 36 68 40 60 74 9d e7 19 81 43 22 52 fe c9 2b 52 0f 41 13 36 09 72 65 95 cc 89 ae 6f 56 17 16 34 73 52 a3 04 ed bd 88 82 8a eb d7 dc 82 52 9c 06 e1 52 85 41 02 03 01 00 01 a3 42 30 40 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 fe 30 1d 06 03 55 1d 0e 04 16 04 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f f1 e9 82 a2 0a 87 9f 2d 94 60 5a b2 c0 4b a1 2f 2b 3b 47 d5 0a 99 86 38 b2 ec c6 3b 89 e4 6e 07 cf 14 c7 c7 e8 cf 99 8f aa 30 c3 19 70 b9 e6 6d d6 3f c8 68 26 b2 a0 a5 37 42 ca d8 62 80 d1 a2 5a 48 2e 1f 85 3f 0c 7b c2 c7 94 11 5f 19 2a 95 ac a0 3a 03 d8 91 5b 2e 0d 9c 7c 1f 2e fc e9 44 e1 16 26 73 1c 45 4a 65 c1 83 4c 90 f3 f2 28 42 df db c4 e7 04 12 18 62 43 5e bc 1f 6c 84 e6 bc 49 32 df 61 d7 99 ee e4 90 52 7b 0a c2 91 8a 98 62 66 b1 c8 e0 b7 5a b5 46 7c 76 71 54 8e cc a4 81 5c 19 db d2 6f 66 b5 bb 2b ae 6b c9 74 04 a8 24 de e8 c5 d3 fc 2c 1c d7 8f db 6a 8d c9 53 be 5d 50 73 ac cf 1f 93 c0 52 50 5b a2 4f fe ad 65 36 17 46 d1 2d e5 a2 90 66 05 db 29 4e 5d 50 5d e3 4f da a0 8f f0 6b e4 16 70 dd 7f f3 77 7d b9 4e f9 ec c3 33 02 d7 e9 63 2f 31 e7 40 61 a4 30 82 03 86 30 82 02 6e a0 03 02 01 02 02 01 09 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 31 32 31 5a 17 0d 31 39 30 36 31 30 31 38 34 31 32 31 5a 30 4b 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 13 0f 49 43 41 4e 4e 20 44 4e 53 53 45 43 20 43 41 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 13 10 64 6e 73 73 65 63 40 69 63 61 6e 6e 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 bf e2 b4 ee 12 46 36 3b 7c d2 46 21 64 5a 93 e1 e3 02 10 25 bb a5 30 70 19 89 98 7e 9e db 8e 0f ac c8 48 66 0e 1a f8 81 e5 2d 3c 7b 39 39 76 28 8f ee 0a a7 dd 64 e9 5f 87 25 b1 64 e5 59 03 fc bc 29 3b 63 37 c8 d7 46 9a b6 ce 87 55 cd cf e2 ab e9 c7 8a 53 2e 25 87 b0 98 d6 20 a3 a8 ec 87 b0 39 a3 c4 c5 75 59 3c fb 91 03 fa ee 7f e9 2b b6 70 88 69 2c e6 f1 4f fc d0 47 b4 e9 a0 2c fa 0c c3 84 eb be 73 5a bc 16 ed d0 83 02 2d eb 6a 21 02 51 70 29 1e 4f c9 69 03 9f 91 32 5c 2c 1a 9f 5e 45 48 2a 50 ee 72 14 ec 17 29 fc 20 95 7d 22 6a c6 6f 83 a2 58 8e b1 64 c8 73 23 54 6c 69 1d 66 1f df f8 4f 24 a1 a8 ae 00 7f e9 89 41 a6 e3 88 1d 3a e1 b3 3a ef 29 45 32 9b 94 2e b7 6c 1e fe 31 40 13 e1 bd 52 67 d0 d8 c3 3e 03 84 48 72 9d bd 8a 48 a0 f2 72 35 b6 03 4b c6 e9 05 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 8f b2 42 69 c3 9d e4 3c fa 13 b9 ff f2 c0 a4 ef d8 0f e8 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 47 75 12 ff 99 c1 95 a7 41 71 d2 bd 08 98 d4 55 28 f8 52 78 9e d9 88 bf f8 0d fd ba 7d bb 55 19 f1 17 39 26 99 a5 ee 0b b2 26 a3 b7 31 f6 56 48 ec 53 17 b1 32 ab 32 2d a5 e7 15 1d 03 d1 66 ec 8d 8c 2a 3f 74 bd b2 0e 9b 73 43 93 ed c5 d4 eb 1f 33 23 a7 ef fa 8e 27 35 8f 58 1d 6b b1 fe 85 42 c6 ac 66 87 3b d1 58 f5 95 ef d3 f9 4a 65 e6 27 aa d6 4f 22 5e 7f 6f dd ae 33 63 b5 8d cf d0 18 8c ad 16 dc 63 ba c8 49 f9 ea fc 3d 02 64 b9 9d d8 3c 19 43 21 5e 92 6a cf 08 e9 00 eb 75 ac d8 c2 43 70 9d 9b 6c 50 7b 3e 72 ba 56 b7 32 3e 67 9e 7d 39 f6 a6 8f a8 49 a0 a7 6f cf 66 74 b1 59 08 07 bf 5a 19 f5 e5 88 e8 51 7c 33 45 79 5a ad b5 08 15 33 61 e8 56 fd 03 04 48 02 8b fb bf 07 59 71 ad 81 05 7c 16 7a 7e 00 30 a0 c9 fd 44 f4 f7 1e 05 d1 da 4f 14 6f a7 bd ab 99 57 d6 5d 30 82 03 64 30 82 02 4c a0 03 02 01 02 02 01 07 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 33 38 31 33 5a 17 0d 31 39 30 36 31 30 31 38 33 38 31 33 5a 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d2 19 1e 22 69 33 f6 a4 d2 76 c5 80 11 75 8e d0 e8 6f bf 89 f8 2a 6a da 8a 85 28 40 ba c5 23 5f 47 ed 72 e2 8e d3 5c c8 8a 3a 99 a9 57 2c 0a 2b 22 f3 54 7b 8b f7 8c 21 a2 50 01 4f 8b af 34 df 72 fc 78 31 d0 1d eb bc 9b e6 fa c1 84 d0 05 07 8a 74 53 a5 60 9e eb 75 9e a8 5d 32 c8 02 32 e4 bf cb 97 9b 7a fa 2c f6 6a 1d b8 57 ad e3 03 22 93 d0 f4 4f a8 b8 01 db 82 33 98 b6 87 ed 3d 67 40 00 27 2e d5 95 d2 ad 36 46 14 c6 17 79 65 7f 65 f3 88 80 65 7c 22 67 08 23 3c cf a5 10 38 72 30 97 92 6f 20 4a ba 24 4c 4a c8 4a a5 dc 2a 44 a1 29 78 b4 9f fe 84 ff 27 5b 3a 72 ea 31 c1 ad 06 22 d6 44 a0 4a 57 32 9c f2 46 47 d0 89 6e 20 23 2c ea b0 83 7e c1 f3 ea da dd e3 63 59 97 21 fa 1b 11 39 27 cf 82 8b 56 15 d4 36 92 0c a5 7e 80 e0 18 c9 50 08 42 0a df 97 3c 9c b8 0a 4d b1 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 94 e7 2b 2b 25 6f 3b 26 dd f9 aa 83 b8 14 2b a8 1f 4d 09 6e 56 44 68 15 01 29 d2 92 7e 75 bb 7b a9 40 98 4f fe f6 80 fe 69 02 0e 18 72 01 c0 74 73 e3 00 e2 87 a8 1f 79 5d 7a b8 8a aa 22 b0 4d 1f 56 85 98 40 97 72 4c b1 4e 38 6e ba 4c 12 af 2f 7c ef 48 03 5f 13 f7 4d d5 17 6f 5d 38 e9 7a 8f f6 82 ee 4f 09 4c 85 a6 88 eb 7d 62 ba 13 34 dc 2d 6d 86 94 35 69 bc 9f 7d c8 89 97 3a a4 81 e5 2b a3 6d 49 cb b6 57 97 86 97 3f 3e 07 8a 3b 55 d4 9f 95 63 0c 5f 8a 95 84 fc 3c 37 f1 e5 a1 f1 e5 0c d5 86 d8 3f a6 79 4d c5 a9 10 8e d1 38 a3 05 36 eb 2c 37 fb 70 bb 98 67 25 6d e9 d3 9c de b6 b7 32 7c 4c 98 be 4d 45 02 cb 93 de ce e7 64 a9 e8 5d ef d1 ed ee 8f c9 92 98 3a 46 75 ee 5a 84 82 25 56 ee 50 2f 63 62 70 5b 1b 7d 23 79 50 b5 b6 9c 5f c4 ba 27 e1 9a dc 71 74 81 26 f9 30 82 03 62 30 82 02 4a a0 03 02 01 02 02 01 08 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 30 33 32 5a 17 0d 31 39 30 36 31 30 31 38 34 30 33 32 5a 30 27 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 15 30 13 06 03 55 04 03 13 0c 49 43 41 4e 4e 20 53 53 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 dd c6 ab bf 7c 66 9d b3 2b 96 00 14 c7 60 7a 8d 62 5b 26 4b 30 d7 b3 4c 82 69 c6 4d 4d 73 f3 d4 91 21 5d ab 35 f0 c8 04 0e f4 a3 35 e2 e1 18 a9 98 12 03 58 f8 9f eb 77 54 5b 89 81 26 c9 aa c2 f4 c9 0c 82 57 2a 5e 05 e9 61 17 cc 19 18 71 eb 35 83 c1 86 9d ec f1 6b ca dd a1 96 0b 95 d4 e1 0f 9e 24 6f dc 3c d0 28 9e f2 53 47 2b a1 ad 32 03 c8 3f 0d 80 80 7d f0 02 d2 6e 5a 2c 44 21 9b 09 50 15 3f a1 3d d3 c9 c8 24 e7 ea 4e 92 2f 94 90 2e de e7 68 f6 c6 b3 90 1f bc c9 7b a2 65 d7 11 e9 8b f0 3a 5a b7 17 07 df 69 e3 6e b9 54 6a 8e 3a aa 94 7f 2c 0a a1 ad ba b7 d9 60 62 27 a7 71 40 3b 8e b0 84 7b b8 c8 67 ef 66 ba 3d ac c3 85 e5 86 bb a7 9c fd b6 e1 c0 10 53 3d d4 7e 1b 09 e6 9f 22 5c a7 27 09 7e 27 12 33 fa df 9b 20 2f 14 f7 17 c0 e4 1e 07 91 1f f9 9a cd a8 e2 c5 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 6e 77 a8 40 10 4a d8 9c 0c f2 b7 5a 3a a5 2f 79 4a 61 14 d8 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f 7d cd f4 fc 33 b2 b9 47 68 a8 c1 1e 52 73 6f cc 72 1f 53 59 0a c6 ba 91 58 23 4c b2 a3 97 36 9a 0a 9a 9a 03 43 ee 7b b1 61 f4 59 ab e3 ab 9f 1f 93 8f 52 36 b5 6a f7 f8 92 f2 ee cb bc 31 9a 1a 70 01 f7 4b c4 65 9f 25 8b 15 77 62 2c f1 63 21 c2 18 04 77 35 4c 64 fc 20 1a 49 24 05 c3 fc 44 1f ff 26 ea 42 97 fe 77 ca cd 58 40 d3 fa ce 2e 35 47 d5 33 45 11 76 81 ec 37 b6 fe 15 c7 74 f9 49 ef 4e 8a da 70 ec 9c 0b 38 79 05 8c 5b 66 3e e5 5f 32 a9 55 5e ca b6 00 fe 12 17 cb 39 7a 91 44 77 42 25 f3 13 56 12 e3 7b 82 62 24 8c dd 24 bd 6b 74 8c 47 9d 90 ad 6c 31 93 12 54 fa 8d 95 b0 9a eb b8 1f 99 dd 7e 65 ed a4 69 b8 6b 59 a0 78 8b 73 f5 f5 ea f8 9c 9a 07 8a eb 84 d5 43 65 6b a2 1e 71 6c 78 aa b3 4a 05 c5 46 3d 44 66 87 d3 91 27 25 9f 48 50 51 32 cb 5e 55 1c 1a 7b 31 82 02 09 30 82 02 05 02 01 01 30 2e 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 02 01 06 30 09 06 05 2b 0e 03 02 1a 05 00 a0 81 b1 30 18 06 09 2a 86 48 86 f7 0d 01 09 03 31 0b 06 09 2a 86 48 86 f7 0d 01 07 01 30 1c 06 09 2a 86 48 86 f7 0d 01 09 05 31 0f 17 0d 31 35 30 33 33 31 31 38 33 37 31 35 5a 30 23 06 09 2a 86 48 86 f7 0d 01 09 04 31 16 04 14 9b b8 17 68 fb 30 95 58 40 96 99 96 93 41 8f cd b1 3d 7b 9c 30 52 06 09 2a 86 48 86 f7 0d 01 09 0f 31 45 30 43 30 0a 06 08 2a 86 48 86 f7 0d 03 07 30 0e 06 08 2a 86 48 86 f7 0d 03 02 02 02 00 80 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 40 30 07 06 05 2b 0e 03 02 07 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 01 00 1b 03 d6 c6 8f 9e 81 cb 6d 21 60 6e e7 89 2f 46 2a f8 47 ae 48 ad 43 6c 77 76 ca a5 ad e9 a3 ed db 8c 03 2a e5 9d 41 45 d9 ea 0a ee d0 d3 ce d7 25 9d 2c 53 7a a9 9a 4e 6a 21 f7 4e d1 2b 98 63 40 aa 15 59 ed 84 76 bd c6 2d 6f 46 b6 0c e0 37 50 af b7 d7 65 e6 8a 6c d1 ea 5b 4f c8 f3 f3 37 28 c9 93 8c 7e b4 8f 5a b4 16 77 68 0e 3a cf b3 f4 ef 82 a3 83 8c 1f 30 63 45 69 6d 64 06 2b fa 4f 81 4d 94 c7 f1 f7 9f e7 1e cb c8 59 70 fc 02 f4 d7 63 7c f4 09 b8 d3 1d b0 7d 6a 71 70 e7 ad e0 44 48 e3 7a 72 51 4b f6 68 21 74 89 dd da e8 be 5e 29 38 e1 31 da 92 ad 28 36 f2 d9 ae 26 18 26 e8 53 18 62 29 77 88 5a 59 a9 19 74 46 c0 98 cf 6e 1b 81 2a 2b 2d 77 2b 74 bd c5 44 de be e5 7a aa 1b df 1e b4 dd ac 0a c4 8e 5f 68 59 07 ac ec 65 48 73 68 bc 3f b6 81 9f bf 16 01 e1 3c fb
fetched root-anchors/root-anchors.p7s (5001 bytes)
parsed the PKCS7 signature
setup the X509_STORE
signer 0: Subject: /O=ICANN/CN=dnssec@iana.org/emailAddress=dnssec@iana.org
commonName: dnssec@iana.org
emailAddress: dnssec@iana.org
keyUsage: Digital Signature, Key Encipherment
the PKCS7 signature verified
xml tag start 'TrustAnchor'
  id='AD42165F-3B1A-4778-8F42-D34A1D41FD93'
  source='http://data.iana.org/root-anchors/root-anchors.xml'
TrustAnchor charhandle: '
'
xml tag start 'Zone'
Zone charhandle: '.'
xml tag end   'Zone'
xml tag start 'KeyDigest'
  id='Kjqmt7v'
  validFrom='2010-07-15T00:00:00+00:00'
use KeyDigest charhandle: '
'
xml tag start 'KeyTag'
use KeyTag charhandle: '19036'
xml tag end   'KeyTag'
xml tag start 'Algorithm'
use Algorithm charhandle: '8'
xml tag end   'Algorithm'
xml tag start 'DigestType'
use DigestType charhandle: '2'
xml tag end   'DigestType'
xml tag start 'Digest'
use Digest charhandle: '49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5'
xml tag end   'Digest'
xml tag end   'KeyDigest'
xml tag end   'TrustAnchor'
XML was parsed successfully, 1 keys
got DS bio 139: '; created by unbound-anchor on Fri May  8 21:43:43 2015
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
'
success: the anchor has been updated using the cert

This will create /var/unbound/db/root.key.  You should probably run unbound-anchor once a week or in /etc/rc.local on every reboot.  It's your choice.

Next, modify /var/unbound/etc/unbound.conf and uncomment the following line:


        auto-trust-anchor-file: "/db/root.key"

We may as well also grab the latest root.hints file from Internic... You can configure this to pull once a month in root's crontab for good measure.

# ftp -o /var/unbound/db/root.hints "ftp://ftp.internic.net/domain/named.cache"

Place this in your /var/unbound/etc/unbound.conf:


        root-hints: "/db/root.hints"

Finally, restart unbound:

# /etc/rc.d/unbound -f restart

To test, dig a few domains.  I start with a root and go from there.  You're looking for the 'ad' flag as follows:

# dig . SOA +dnssec

; <<>> DiG 9.4.2-P2 <<>> . SOA +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- 14023="" font="" id:="" noerror="" opcode:="" query="" status:="">
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      SOA

;; ANSWER SECTION:
.                       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2015050801 1800 900 604800 86400
.                       86400   IN      RRSIG   SOA 8 0 86400 20150518170000 20150508160000 48613 . VJxXmFUi8HIwg+G8neEQFJ2r9h6ceIuWS7kSLN3ON/St7+id6bYh2QKt M4FQ6JM/1ZrebeMrXps8lM0wVsMtKkqvJkJfazYAFyo75EZ2GSAr/yXW sS12scSLp1mSb6sIva5KtKmvVL71bjoZfusJCPmAmoxtKceoyNOQWwTX ZDA=

;; AUTHORITY SECTION:
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      RRSIG   NS 8 0 518400 20150518170000 20150508160000 48613 . X5CTpGRiUiNCzYHHYA/UcKDLmk9Cm8Kx2PXiIbDFTb9yGeiu3uRUkwoX rlyJ2zNuokGgec58AnJFiXOOlKcfZ11dgXeKbY2IR7JYocAP4CqXhNjh KaYiuxhtdnjYEzYhyUV4j6i35N9HURMsSgX2ipuItaq7l2I8fywcG6Xg sXo=

;; Query time: 2223 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May  8 21:47:28 2015
;; MSG SIZE  rcvd: 612

Ad blocking: Yes, I'll add this soon as well. I've seen so many inept ways to do it that I'd rather take a little more time to make a few scripts I personally use take on a more readable shape.

Where most fail are pointing ad servers DNS records to localhost (do I really need to explain why that doesn't work on a firewall?), force downloads of software or modules /not/ included in the base operating system, or enabling unprotected, unvetted network services to serve the single pixel file, i.e. some socket-based perl/php/python/etc.. script that runs as root from the base system.  I'll avoid all that, you should as well.