Blue Pill Technology: May 2015

I'm not a paranoiac, and I certainly don't feel inclined to /hide/ from anyone, but that's not a reason not to protect my DNS queries from a simple snoop by unscrupulous ISPs. I simply prefer good network topology and security to convenience. With OpenBSD, I can have both security AND convenience with only a minimal amount of fuss. Why use anything else?

There are some caveats here, but the scope of those is beyond the point of this writing.

First, you'll need to install dnscrypt-proxy. If you don't have PKG_PATH defined, you can simply pull it directly like this:

pkg_add -v http://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/dnscrypt-proxy

If you find you want the latest version of dnscrypt-proxy (1.9.4 as of this writing), follow this script:

# groupadd -g 688 _dnscrypt-proxy
# useradd -g _dnscrypt-proxy -s /sbin/nologin -u 688 -d /var/empty -c "dnscrypt-proxy user" -L daemon _dnscrypt-proxy
# cd /tmp
# ftp https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.9.4.tar.gz
# tar -zxvpf dnscrypt-proxy-1.9.4.tar.gz
# cd dnscrypt-proxy-1.9.4
# ./configure
# make
# make install

Next, you'll need to decide which DNS server you'd like to use. A CSV list can be found in /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv. For the sake of this discussion, I'm going to use the first one in the list, adamas. (No particular reason, it was simply first)

Next, start dnscrypt-proxy as user _dnscrypt-proxy (automatically added via pkg installation or script above) with the following command:

/usr/local/sbin/dnscrypt-proxy -l /var/log/dnscrypt-proxy.log -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas

This will allow us to monitor /var/log/dnscrypt-proxy.log for errors during the testing sequences. Once any errors have been located and resolved, you can switch the -l to /dev/null. Personally, I prefer to keep a log file, but that's your decision to make.

Now edit the default unbound configuration at /var/unbound/etc/unbound.conf, you'll obviously need to change your local interface IP if you plan to allow the rest of your network to access it. Mine is 172.16.18.1/24.

server:
interface: 172.16.18.1
interface: 127.0.0.1
access-control: 172.16.18.0/24 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes

forward-zone:
name: "."
forward-addr: 127.0.0.1@54

Edit your /etc/resolv.conf to point to 127.0.0.1, then start unbound (/etc/rc.d/unbound -f).

To test, I use tcpdump to examine outbound packets on port 5678 (you'll need to examine the line in the CSV file mentioned above to find the correct port). If you make a DNS request, and see traffic on that port to the server listed in the /var/log/dnscrypt-proxy.log, you're probably set. (as long as the request returns a valid lookup, naturally!)

[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2014-10-32] to [2015-10-32]
[INFO] Server key fingerprint is 5499:C1EE:97DD:889A:AD9E:C59B:80BD:365A:B38D:B125:25B5:5896:9CE0:5881:7792:8237

[NOTICE] Proxying from 127.0.0.1:54 to 80.90.43.162:5678

You can also monitor /var/log/messages to ensure that unbound started, or at least isn't complaining about one or more of your configuration directives.

To prevent all other outbound DNS queries, a few PF rules might not hurt, but that is, once again, beyond the scope of this unilaterally-focused discussion.

For those who want to round-robin amongst a group of encrypted DNS transports, this is what I've found works well:

Start 6 instances of dnscrypt-proxy, each on lo0 with a unique port:

/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:55 -R opendns
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:56 -R cypherpunk
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:57 -R dnscrypt.org-fr
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:58 -R okturtles
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:59 -R opennic-ca-ns3

Then simply modify your /var/unbound/etc/unbound.conf and list all 6 under the forward-zone as forward-addr you previously configured:

forward-zone:
name: "."
forward-addr: 127.0.0.1@54
forward-addr: 127.0.0.1@55

forward-addr: 127.0.0.1@56

forward-addr: 127.0.0.1@57

forward-addr: 127.0.0.1@58

forward-addr: 127.0.0.1@59

Reload unbound:

/etc/rc.d/unbound -f reload

To confirm, you can tcpdump on ports 443 and 5678 to see which servers are getting distributed hits. This should offer a level of redundancy/reliability to the process, as long as unbound remains running.

Enjoy!

Continued... Since I got a few (ha!) replies to this shortly after posting the previous information, I thought I'd go ahead and wrap up a DNSSEC unbound config while I'm at it.

You'll first need to run /usr/sbin/unbound-anchor, I do it as follows - this MUST be writable by the _unbound user:

# sudo -u _unbound /usr/sbin/unbound-anchor -vvvv -F

/var/unbound/db/root.key does not exist

debug cert update forced

last successful probe: Fri May 8 21:43:42 2015

the last successful probe is recent

/var/unbound/etc/icannbundle.pem: No such file or directory

using builtin certificate

have 1 trusted certificates

trusted certificates (0/1)

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US

Validity

Not Before: Dec 23 04:19:12 2009 GMT

Not After : Dec 18 04:19:12 2029 GMT

Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:

bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:

9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:

27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:

fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:

22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:

e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:

d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:

e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:

1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:

39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:

ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:

7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:

31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:

9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:

09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:

04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:

85:41

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Key Usage: critical

Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

X509v3 Subject Key Identifier:

BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50

Signature Algorithm: sha256WithRSAEncryption

0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:

3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:

c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:

b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:

7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:

9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:

90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:

84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:

98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:

5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:

c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:

1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:

90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:

70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:

e7:40:61:a4

resolved server address 72.21.81.189

resolved server address 2606:2800:11f:bb5:f27:227f:1bbf:a0e

connect to 2606:2800:11f:bb5:f27:227f:1bbf:a0e

connect: No route to host

connect to 72.21.81.189

server SSL certificate

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA

Validity

Not Before: Oct 22 12:00:01 2013 GMT

Not After : Dec 8 12:00:00 2015 GMT

Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:

c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:

71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:

fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:

ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:

7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:

06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:

26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:

af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:

03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:

91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:

12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:

7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:

6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:

05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:

72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:

1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:

29:e9

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B

X509v3 Subject Key Identifier:

14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51

X509v3 Subject Alternative Name:

DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl3.digicert.com/sha2-ha-server-g4.crl

Full Name:

URI:http://crl4.digicert.com/sha2-ha-server-g4.crl

X509v3 Certificate Policies:

Policy: 2.16.840.1.114412.1.1

CPS: https://www.digicert.com/CPS

Authority Information Access:

OCSP - URI:http://ocsp.digicert.com

CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

X509v3 Basic Constraints: critical

CA:FALSE

Signature Algorithm: sha256WithRSAEncryption

9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:

94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:

0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:

83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:

50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:

8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:

e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:

47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:

8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:

a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:

11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:

0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:

e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:

e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:

55:b0:cd:8c

SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1

SSL_write: Host: data.iana.org

SSL_write: User-Agent: unbound-anchor/1.5.2

SSL_write:

header: 'HTTP/1.1 200 OK'

header: 'Accept-Ranges: bytes'

header: 'Cache-Control: max-age=604800'

header: 'Content-Type: text/xml'

header: 'Date: Sat, 09 May 2015 02:43:43 GMT'

header: 'Etag: "64192-1a2-512c93b68be80"'

header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'

header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'

header: 'Server: ECAcc (dfw/562B)'

header: 'X-Cache: HIT'

header: 'Content-Length: 418'

at 0/418

read 418 data

read data: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 54 72 75 73 74 41 6e 63 68 6f 72 20 69 64 3d 22 41 44 34 32 31 36 35 46 2d 33 42 31 41 2d 34 37 37 38 2d 38 46 34 32 2d 44 33 34 41 31 44 34 31 46 44 39 33 22 20 73 6f 75 72 63 65 3d 22 68 74 74 70 3a 2f 2f 64 61 74 61 2e 69 61 6e 61 2e 6f 72 67 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2e 78 6d 6c 22 3e 0a 3c 5a 6f 6e 65 3e 2e 3c 2f 5a 6f 6e 65 3e 0a 3c 4b 65 79 44 69 67 65 73 74 20 69 64 3d 22 4b 6a 71 6d 74 37 76 22 20 76 61 6c 69 64 46 72 6f 6d 3d 22 32 30 31 30 2d 30 37 2d 31 35 54 30 30 3a 30 30 3a 30 30 2b 30 30 3a 30 30 22 3e 0a 3c 4b 65 79 54 61 67 3e 31 39 30 33 36 3c 2f 4b 65 79 54 61 67 3e 0a 3c 41 6c 67 6f 72 69 74 68 6d 3e 38 3c 2f 41 6c 67 6f 72 69 74 68 6d 3e 0a 3c 44 69 67 65 73 74 54 79 70 65 3e 32 3c 2f 44 69 67 65 73 74 54 79 70 65 3e 0a 3c 44 69 67 65 73 74 3e 34 39 41 41 43 31 31 44 37 42 36 46 36 34 34 36 37 30 32 45 35 34 41 31 36 30 37 33 37 31 36 30 37 41 31 41 34 31 38 35 35 32 30 30 46 44 32 43 45 31 43 44 44 45 33 32 46 32 34 45 38 46 42 35 3c 2f 44 69 67 65 73 74 3e 0a 3c 2f 4b 65 79 44 69 67 65 73 74 3e 0a 3c 2f 54 72 75 73 74 41 6e 63 68 6f 72 3e 0a

fetched root-anchors/root-anchors.xml (418 bytes)

connect to 72.21.81.189

server SSL certificate

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA

Validity

Not Before: Oct 22 12:00:01 2013 GMT

Not After : Dec 8 12:00:00 2015 GMT

Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:

c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:

71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:

fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:

ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:

7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:

06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:

26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:

af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:

03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:

91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:

12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:

7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:

6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:

05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:

72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:

1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:

29:e9

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B

X509v3 Subject Key Identifier:

14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51

X509v3 Subject Alternative Name:

DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl3.digicert.com/sha2-ha-server-g4.crl

Full Name:

URI:http://crl4.digicert.com/sha2-ha-server-g4.crl

X509v3 Certificate Policies:

Policy: 2.16.840.1.114412.1.1

CPS: https://www.digicert.com/CPS

Authority Information Access:

OCSP - URI:http://ocsp.digicert.com

CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

X509v3 Basic Constraints: critical

CA:FALSE

Signature Algorithm: sha256WithRSAEncryption

9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:

94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:

0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:

83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:

50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:

8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:

e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:

47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:

8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:

a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:

11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:

0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:

e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:

e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:

55:b0:cd:8c

SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1

SSL_write: Host: data.iana.org

SSL_write: User-Agent: unbound-anchor/1.5.2

SSL_write:

header: 'HTTP/1.1 200 OK'

header: 'Accept-Ranges: bytes'

header: 'Cache-Control: max-age=604800'

header: 'Content-Type: text/plain; charset=UTF-8'

header: 'Date: Sat, 09 May 2015 02:43:43 GMT'

header: 'Etag: "64191-1389-512c93b68be80"'

header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'

header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'

header: 'Server: ECAcc (dfw/56D0)'

header: 'X-Cache: HIT'

header: 'Content-Length: 5001'

at 0/5001

at 4095/5001

read 5001 data

read data: 30 82 13 85 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 13 76 30 82 13 72 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 0b 06 09 2a 86 48 86 f7 0d 01 07 01 a0 82 11 44 30 82 03 6d 30 82 02 55 a0 03 02 01 02 02 01 06 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 1e 17 0d 31 34 30 36 31 31 31 38 34 33 33 32 5a 17 0d 31 37 30 36 31 30 31 38 34 33 33 32 5a 30 4a 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 0c 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 31 1e 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a5 2b f7 9a d8 9c 48 a6 d8 bb f3 7c db f5 4e 9d 44 19 ce 23 9f 7f 65 81 0a c6 b3 05 32 ec f5 9c cd 61 34 c0 75 dd 8d ce 0b 52 4c f4 08 bd 3c c5 a4 c8 13 a6 70 93 92 0f ca 40 cd 8b 61 03 d2 79 2e ff 17 74 ba 6d b4 20 f0 be 9f 89 15 49 6d 45 69 dc a7 d3 7b eb 82 23 12 d8 c4 7f 57 11 6a c0 a7 ef 96 18 e6 7c 3c 1d b5 23 ce fe 72 dd bb fb ec d4 62 50 4a 73 32 b6 f4 9f bc 12 b3 21 c5 62 78 eb b0 5c 32 db 8f 83 b7 87 b6 db 26 d3 ca 9a 0c 4a ce d1 42 1f 7c ec ad 32 d1 fc ac d9 7c c5 90 03 3d a9 3c 73 ed 45 d9 15 b1 7e 5d 4c 83 44 b1 98 4a 54 ad 3a fd d4 da 08 7c a2 c6 51 b1 36 75 6e 6f 8f 0e 88 f5 12 64 3f 6b 19 31 57 55 75 ad 7d bc 8a 92 07 98 06 d6 ad ff 68 54 1e de af d6 9e 61 f5 a7 c0 51 77 fe 76 eb 81 bd a0 1a 5e 9c 68 d8 e5 3a 28 c0 50 cb cb 98 4f f5 ac e9 49 02 03 01 00 01 a3 7f 30 7d 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 00 a0 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 04 06 08 2b 06 01 05 05 07 03 02 30 1f 06 03 55 1d 23 04 18 30 16 80 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 1d 06 03 55 1d 0e 04 16 04 14 a6 3a 41 2f a5 69 a4 95 7c 9b 1f 7d 4f 60 c9 ea 95 94 cf eb 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f b8 90 03 78 a9 45 49 81 e5 49 18 58 92 91 e6 84 59 54 3a 81 8f a2 d8 1b 20 a7 17 29 3d ee 55 f2 8d 05 20 3a e3 3e 49 ee 7a a7 52 be e1 47 ec 31 77 8e 24 bf 51 93 b3 5b 4c 2c 29 41 53 6f 9c 35 2c aa fe 6f 88 3b 0e 5d 4a b1 bb e7 1c 04 64 a9 ad d4 e1 26 f8 57 b2 df 4b 6f b9 c3 fd 16 7a 40 34 f9 1c 54 f1 42 5f 06 8c 97 1d c7 4d c9 22 d1 fe ab 8b 7d 12 ab b5 04 91 af f1 f9 4a 96 d9 0c 56 31 44 8a 10 dc f2 b2 45 60 52 27 79 b8 31 81 d6 9d 04 09 3c 44 a9 37 57 c6 87 c1 e3 98 23 be 77 01 27 70 af d3 32 0b 48 a6 dc 00 ec c9 ea 04 f7 e6 45 17 05 f5 36 00 4d b7 a1 df 0d da 15 f8 3d c2 0c d8 ba 8c ec 76 89 9a 9b 8f 2f 18 28 2e af a3 57 e9 ee 99 d7 0a cf d5 a0 2d 5b f5 18 82 42 c4 48 d5 7e d3 08 2a 07 08 51 d3 ff 6c f1 d3 42 0e c7 8e b1 89 ee ff 26 d3 59 76 cb ab af 30 82 03 77 30 82 02 5f a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 30 39 31 32 32 33 30 34 31 39 31 32 5a 17 0d 32 39 31 32 31 38 30 34 31 39 31 32 5a 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a0 db 70 b8 4f 34 da 9c d4 d0 7e bb ea 15 bc e9 c9 11 2a 1f 61 2f 6a b9 bd 3f 3d 76 a0 9a 0a f7 ee 93 6e 6e 55 53 84 8c f2 2c f1 82 27 c8 0f 9a cf 52 1b 54 da 28 d2 2c 30 8e dd fb 92 20 33 2d d6 c8 f1 0e 10 21 88 71 fa 84 22 4b 5d 47 56 16 7c 9b 9f 5d c3 11 79 9c 14 e2 ff c0 74 ac dd 39 d7 e0 38 d8 b0 73 aa fb d1 db 84 af 52 22 a8 f6 d5 9b 94 f4 e6 5d 5e e8 3f 87 90 0b c7 1a 77 f5 2e d3 8f 1a ce 02 1d 07 69 21 47 32 da 46 ae 00 4c b6 a5 a2 9c 39 c1 c0 4a f6 d3 1c ae d3 6d bb c7 18 f0 7e ed f6 80 ce d0 01 2e 89 de 12 ba ee 11 cb a6 7a d7 0d 7c f3 08 8d 72 9d bf 55 75 13 70 bb 31 22 4a cb e8 c0 aa a4 09 aa 36 68 40 60 74 9d e7 19 81 43 22 52 fe c9 2b 52 0f 41 13 36 09 72 65 95 cc 89 ae 6f 56 17 16 34 73 52 a3 04 ed bd 88 82 8a eb d7 dc 82 52 9c 06 e1 52 85 41 02 03 01 00 01 a3 42 30 40 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 fe 30 1d 06 03 55 1d 0e 04 16 04 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f f1 e9 82 a2 0a 87 9f 2d 94 60 5a b2 c0 4b a1 2f 2b 3b 47 d5 0a 99 86 38 b2 ec c6 3b 89 e4 6e 07 cf 14 c7 c7 e8 cf 99 8f aa 30 c3 19 70 b9 e6 6d d6 3f c8 68 26 b2 a0 a5 37 42 ca d8 62 80 d1 a2 5a 48 2e 1f 85 3f 0c 7b c2 c7 94 11 5f 19 2a 95 ac a0 3a 03 d8 91 5b 2e 0d 9c 7c 1f 2e fc e9 44 e1 16 26 73 1c 45 4a 65 c1 83 4c 90 f3 f2 28 42 df db c4 e7 04 12 18 62 43 5e bc 1f 6c 84 e6 bc 49 32 df 61 d7 99 ee e4 90 52 7b 0a c2 91 8a 98 62 66 b1 c8 e0 b7 5a b5 46 7c 76 71 54 8e cc a4 81 5c 19 db d2 6f 66 b5 bb 2b ae 6b c9 74 04 a8 24 de e8 c5 d3 fc 2c 1c d7 8f db 6a 8d c9 53 be 5d 50 73 ac cf 1f 93 c0 52 50 5b a2 4f fe ad 65 36 17 46 d1 2d e5 a2 90 66 05 db 29 4e 5d 50 5d e3 4f da a0 8f f0 6b e4 16 70 dd 7f f3 77 7d b9 4e f9 ec c3 33 02 d7 e9 63 2f 31 e7 40 61 a4 30 82 03 86 30 82 02 6e a0 03 02 01 02 02 01 09 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 31 32 31 5a 17 0d 31 39 30 36 31 30 31 38 34 31 32 31 5a 30 4b 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 13 0f 49 43 41 4e 4e 20 44 4e 53 53 45 43 20 43 41 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 13 10 64 6e 73 73 65 63 40 69 63 61 6e 6e 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 bf e2 b4 ee 12 46 36 3b 7c d2 46 21 64 5a 93 e1 e3 02 10 25 bb a5 30 70 19 89 98 7e 9e db 8e 0f ac c8 48 66 0e 1a f8 81 e5 2d 3c 7b 39 39 76 28 8f ee 0a a7 dd 64 e9 5f 87 25 b1 64 e5 59 03 fc bc 29 3b 63 37 c8 d7 46 9a b6 ce 87 55 cd cf e2 ab e9 c7 8a 53 2e 25 87 b0 98 d6 20 a3 a8 ec 87 b0 39 a3 c4 c5 75 59 3c fb 91 03 fa ee 7f e9 2b b6 70 88 69 2c e6 f1 4f fc d0 47 b4 e9 a0 2c fa 0c c3 84 eb be 73 5a bc 16 ed d0 83 02 2d eb 6a 21 02 51 70 29 1e 4f c9 69 03 9f 91 32 5c 2c 1a 9f 5e 45 48 2a 50 ee 72 14 ec 17 29 fc 20 95 7d 22 6a c6 6f 83 a2 58 8e b1 64 c8 73 23 54 6c 69 1d 66 1f df f8 4f 24 a1 a8 ae 00 7f e9 89 41 a6 e3 88 1d 3a e1 b3 3a ef 29 45 32 9b 94 2e b7 6c 1e fe 31 40 13 e1 bd 52 67 d0 d8 c3 3e 03 84 48 72 9d bd 8a 48 a0 f2 72 35 b6 03 4b c6 e9 05 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 8f b2 42 69 c3 9d e4 3c fa 13 b9 ff f2 c0 a4 ef d8 0f e8 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 47 75 12 ff 99 c1 95 a7 41 71 d2 bd 08 98 d4 55 28 f8 52 78 9e d9 88 bf f8 0d fd ba 7d bb 55 19 f1 17 39 26 99 a5 ee 0b b2 26 a3 b7 31 f6 56 48 ec 53 17 b1 32 ab 32 2d a5 e7 15 1d 03 d1 66 ec 8d 8c 2a 3f 74 bd b2 0e 9b 73 43 93 ed c5 d4 eb 1f 33 23 a7 ef fa 8e 27 35 8f 58 1d 6b b1 fe 85 42 c6 ac 66 87 3b d1 58 f5 95 ef d3 f9 4a 65 e6 27 aa d6 4f 22 5e 7f 6f dd ae 33 63 b5 8d cf d0 18 8c ad 16 dc 63 ba c8 49 f9 ea fc 3d 02 64 b9 9d d8 3c 19 43 21 5e 92 6a cf 08 e9 00 eb 75 ac d8 c2 43 70 9d 9b 6c 50 7b 3e 72 ba 56 b7 32 3e 67 9e 7d 39 f6 a6 8f a8 49 a0 a7 6f cf 66 74 b1 59 08 07 bf 5a 19 f5 e5 88 e8 51 7c 33 45 79 5a ad b5 08 15 33 61 e8 56 fd 03 04 48 02 8b fb bf 07 59 71 ad 81 05 7c 16 7a 7e 00 30 a0 c9 fd 44 f4 f7 1e 05 d1 da 4f 14 6f a7 bd ab 99 57 d6 5d 30 82 03 64 30 82 02 4c a0 03 02 01 02 02 01 07 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 33 38 31 33 5a 17 0d 31 39 30 36 31 30 31 38 33 38 31 33 5a 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d2 19 1e 22 69 33 f6 a4 d2 76 c5 80 11 75 8e d0 e8 6f bf 89 f8 2a 6a da 8a 85 28 40 ba c5 23 5f 47 ed 72 e2 8e d3 5c c8 8a 3a 99 a9 57 2c 0a 2b 22 f3 54 7b 8b f7 8c 21 a2 50 01 4f 8b af 34 df 72 fc 78 31 d0 1d eb bc 9b e6 fa c1 84 d0 05 07 8a 74 53 a5 60 9e eb 75 9e a8 5d 32 c8 02 32 e4 bf cb 97 9b 7a fa 2c f6 6a 1d b8 57 ad e3 03 22 93 d0 f4 4f a8 b8 01 db 82 33 98 b6 87 ed 3d 67 40 00 27 2e d5 95 d2 ad 36 46 14 c6 17 79 65 7f 65 f3 88 80 65 7c 22 67 08 23 3c cf a5 10 38 72 30 97 92 6f 20 4a ba 24 4c 4a c8 4a a5 dc 2a 44 a1 29 78 b4 9f fe 84 ff 27 5b 3a 72 ea 31 c1 ad 06 22 d6 44 a0 4a 57 32 9c f2 46 47 d0 89 6e 20 23 2c ea b0 83 7e c1 f3 ea da dd e3 63 59 97 21 fa 1b 11 39 27 cf 82 8b 56 15 d4 36 92 0c a5 7e 80 e0 18 c9 50 08 42 0a df 97 3c 9c b8 0a 4d b1 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 94 e7 2b 2b 25 6f 3b 26 dd f9 aa 83 b8 14 2b a8 1f 4d 09 6e 56 44 68 15 01 29 d2 92 7e 75 bb 7b a9 40 98 4f fe f6 80 fe 69 02 0e 18 72 01 c0 74 73 e3 00 e2 87 a8 1f 79 5d 7a b8 8a aa 22 b0 4d 1f 56 85 98 40 97 72 4c b1 4e 38 6e ba 4c 12 af 2f 7c ef 48 03 5f 13 f7 4d d5 17 6f 5d 38 e9 7a 8f f6 82 ee 4f 09 4c 85 a6 88 eb 7d 62 ba 13 34 dc 2d 6d 86 94 35 69 bc 9f 7d c8 89 97 3a a4 81 e5 2b a3 6d 49 cb b6 57 97 86 97 3f 3e 07 8a 3b 55 d4 9f 95 63 0c 5f 8a 95 84 fc 3c 37 f1 e5 a1 f1 e5 0c d5 86 d8 3f a6 79 4d c5 a9 10 8e d1 38 a3 05 36 eb 2c 37 fb 70 bb 98 67 25 6d e9 d3 9c de b6 b7 32 7c 4c 98 be 4d 45 02 cb 93 de ce e7 64 a9 e8 5d ef d1 ed ee 8f c9 92 98 3a 46 75 ee 5a 84 82 25 56 ee 50 2f 63 62 70 5b 1b 7d 23 79 50 b5 b6 9c 5f c4 ba 27 e1 9a dc 71 74 81 26 f9 30 82 03 62 30 82 02 4a a0 03 02 01 02 02 01 08 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 30 33 32 5a 17 0d 31 39 30 36 31 30 31 38 34 30 33 32 5a 30 27 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 15 30 13 06 03 55 04 03 13 0c 49 43 41 4e 4e 20 53 53 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 dd c6 ab bf 7c 66 9d b3 2b 96 00 14 c7 60 7a 8d 62 5b 26 4b 30 d7 b3 4c 82 69 c6 4d 4d 73 f3 d4 91 21 5d ab 35 f0 c8 04 0e f4 a3 35 e2 e1 18 a9 98 12 03 58 f8 9f eb 77 54 5b 89 81 26 c9 aa c2 f4 c9 0c 82 57 2a 5e 05 e9 61 17 cc 19 18 71 eb 35 83 c1 86 9d ec f1 6b ca dd a1 96 0b 95 d4 e1 0f 9e 24 6f dc 3c d0 28 9e f2 53 47 2b a1 ad 32 03 c8 3f 0d 80 80 7d f0 02 d2 6e 5a 2c 44 21 9b 09 50 15 3f a1 3d d3 c9 c8 24 e7 ea 4e 92 2f 94 90 2e de e7 68 f6 c6 b3 90 1f bc c9 7b a2 65 d7 11 e9 8b f0 3a 5a b7 17 07 df 69 e3 6e b9 54 6a 8e 3a aa 94 7f 2c 0a a1 ad ba b7 d9 60 62 27 a7 71 40 3b 8e b0 84 7b b8 c8 67 ef 66 ba 3d ac c3 85 e5 86 bb a7 9c fd b6 e1 c0 10 53 3d d4 7e 1b 09 e6 9f 22 5c a7 27 09 7e 27 12 33 fa df 9b 20 2f 14 f7 17 c0 e4 1e 07 91 1f f9 9a cd a8 e2 c5 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 6e 77 a8 40 10 4a d8 9c 0c f2 b7 5a 3a a5 2f 79 4a 61 14 d8 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f 7d cd f4 fc 33 b2 b9 47 68 a8 c1 1e 52 73 6f cc 72 1f 53 59 0a c6 ba 91 58 23 4c b2 a3 97 36 9a 0a 9a 9a 03 43 ee 7b b1 61 f4 59 ab e3 ab 9f 1f 93 8f 52 36 b5 6a f7 f8 92 f2 ee cb bc 31 9a 1a 70 01 f7 4b c4 65 9f 25 8b 15 77 62 2c f1 63 21 c2 18 04 77 35 4c 64 fc 20 1a 49 24 05 c3 fc 44 1f ff 26 ea 42 97 fe 77 ca cd 58 40 d3 fa ce 2e 35 47 d5 33 45 11 76 81 ec 37 b6 fe 15 c7 74 f9 49 ef 4e 8a da 70 ec 9c 0b 38 79 05 8c 5b 66 3e e5 5f 32 a9 55 5e ca b6 00 fe 12 17 cb 39 7a 91 44 77 42 25 f3 13 56 12 e3 7b 82 62 24 8c dd 24 bd 6b 74 8c 47 9d 90 ad 6c 31 93 12 54 fa 8d 95 b0 9a eb b8 1f 99 dd 7e 65 ed a4 69 b8 6b 59 a0 78 8b 73 f5 f5 ea f8 9c 9a 07 8a eb 84 d5 43 65 6b a2 1e 71 6c 78 aa b3 4a 05 c5 46 3d 44 66 87 d3 91 27 25 9f 48 50 51 32 cb 5e 55 1c 1a 7b 31 82 02 09 30 82 02 05 02 01 01 30 2e 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 02 01 06 30 09 06 05 2b 0e 03 02 1a 05 00 a0 81 b1 30 18 06 09 2a 86 48 86 f7 0d 01 09 03 31 0b 06 09 2a 86 48 86 f7 0d 01 07 01 30 1c 06 09 2a 86 48 86 f7 0d 01 09 05 31 0f 17 0d 31 35 30 33 33 31 31 38 33 37 31 35 5a 30 23 06 09 2a 86 48 86 f7 0d 01 09 04 31 16 04 14 9b b8 17 68 fb 30 95 58 40 96 99 96 93 41 8f cd b1 3d 7b 9c 30 52 06 09 2a 86 48 86 f7 0d 01 09 0f 31 45 30 43 30 0a 06 08 2a 86 48 86 f7 0d 03 07 30 0e 06 08 2a 86 48 86 f7 0d 03 02 02 02 00 80 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 40 30 07 06 05 2b 0e 03 02 07 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 01 00 1b 03 d6 c6 8f 9e 81 cb 6d 21 60 6e e7 89 2f 46 2a f8 47 ae 48 ad 43 6c 77 76 ca a5 ad e9 a3 ed db 8c 03 2a e5 9d 41 45 d9 ea 0a ee d0 d3 ce d7 25 9d 2c 53 7a a9 9a 4e 6a 21 f7 4e d1 2b 98 63 40 aa 15 59 ed 84 76 bd c6 2d 6f 46 b6 0c e0 37 50 af b7 d7 65 e6 8a 6c d1 ea 5b 4f c8 f3 f3 37 28 c9 93 8c 7e b4 8f 5a b4 16 77 68 0e 3a cf b3 f4 ef 82 a3 83 8c 1f 30 63 45 69 6d 64 06 2b fa 4f 81 4d 94 c7 f1 f7 9f e7 1e cb c8 59 70 fc 02 f4 d7 63 7c f4 09 b8 d3 1d b0 7d 6a 71 70 e7 ad e0 44 48 e3 7a 72 51 4b f6 68 21 74 89 dd da e8 be 5e 29 38 e1 31 da 92 ad 28 36 f2 d9 ae 26 18 26 e8 53 18 62 29 77 88 5a 59 a9 19 74 46 c0 98 cf 6e 1b 81 2a 2b 2d 77 2b 74 bd c5 44 de be e5 7a aa 1b df 1e b4 dd ac 0a c4 8e 5f 68 59 07 ac ec 65 48 73 68 bc 3f b6 81 9f bf 16 01 e1 3c fb

fetched root-anchors/root-anchors.p7s (5001 bytes)

parsed the PKCS7 signature

setup the X509_STORE

signer 0: Subject: /O=ICANN/CN=dnssec@iana.org/emailAddress=dnssec@iana.org

commonName: dnssec@iana.org

emailAddress: dnssec@iana.org

keyUsage: Digital Signature, Key Encipherment

the PKCS7 signature verified

xml tag start 'TrustAnchor'

id='AD42165F-3B1A-4778-8F42-D34A1D41FD93'

source='http://data.iana.org/root-anchors/root-anchors.xml'

TrustAnchor charhandle: '

xml tag start 'Zone'

Zone charhandle: '.'

xml tag end 'Zone'

xml tag start 'KeyDigest'

id='Kjqmt7v'

validFrom='2010-07-15T00:00:00+00:00'

use KeyDigest charhandle: '

xml tag start 'KeyTag'

use KeyTag charhandle: '19036'

xml tag end 'KeyTag'

xml tag start 'Algorithm'

use Algorithm charhandle: '8'

xml tag end 'Algorithm'

xml tag start 'DigestType'

use DigestType charhandle: '2'

xml tag end 'DigestType'

xml tag start 'Digest'

use Digest charhandle: '49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5'

xml tag end 'Digest'

xml tag end 'KeyDigest'

xml tag end 'TrustAnchor'

XML was parsed successfully, 1 keys

got DS bio 139: '; created by unbound-anchor on Fri May 8 21:43:43 2015

. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

success: the anchor has been updated using the cert

This will create /var/unbound/db/root.key. You should probably run unbound-anchor once a week or in /etc/rc.local on every reboot. It's your choice.

Next, modify /var/unbound/etc/unbound.conf and uncomment the following line:

auto-trust-anchor-file: "/db/root.key"

We may as well also grab the latest root.hints file from Internic... You can configure this to pull once a month in root's crontab for good measure.

# ftp -o /var/unbound/db/root.hints "ftp://ftp.internic.net/domain/named.cache"

Place this in your /var/unbound/etc/unbound.conf:

root-hints: "/db/root.hints"

Finally, restart unbound:

# /etc/rc.d/unbound -f restart

To test, dig a few domains. I start with a root and go from there. You're looking for the 'ad' flag as follows:

# dig . SOA +dnssec

; <<>> DiG 9.4.2-P2 <<>> . SOA +dnssec

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- 14023="" font="" id:="" noerror="" opcode:="" query="" status:="">

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;. IN SOA

;; ANSWER SECTION:

. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015050801 1800 900 604800 86400

. 86400 IN RRSIG SOA 8 0 86400 20150518170000 20150508160000 48613 . VJxXmFUi8HIwg+G8neEQFJ2r9h6ceIuWS7kSLN3ON/St7+id6bYh2QKt M4FQ6JM/1ZrebeMrXps8lM0wVsMtKkqvJkJfazYAFyo75EZ2GSAr/yXW sS12scSLp1mSb6sIva5KtKmvVL71bjoZfusJCPmAmoxtKceoyNOQWwTX ZDA=

;; AUTHORITY SECTION:

. 518400 IN NS d.root-servers.net.

. 518400 IN NS j.root-servers.net.

. 518400 IN NS c.root-servers.net.

. 518400 IN NS i.root-servers.net.

. 518400 IN NS h.root-servers.net.

. 518400 IN NS g.root-servers.net.

. 518400 IN NS l.root-servers.net.

. 518400 IN NS a.root-servers.net.

. 518400 IN NS f.root-servers.net.

. 518400 IN NS e.root-servers.net.

. 518400 IN NS k.root-servers.net.

. 518400 IN NS m.root-servers.net.

. 518400 IN NS b.root-servers.net.

. 518400 IN RRSIG NS 8 0 518400 20150518170000 20150508160000 48613 . X5CTpGRiUiNCzYHHYA/UcKDLmk9Cm8Kx2PXiIbDFTb9yGeiu3uRUkwoX rlyJ2zNuokGgec58AnJFiXOOlKcfZ11dgXeKbY2IR7JYocAP4CqXhNjh KaYiuxhtdnjYEzYhyUV4j6i35N9HURMsSgX2ipuItaq7l2I8fywcG6Xg sXo=

;; Query time: 2223 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri May 8 21:47:28 2015

;; MSG SIZE rcvd: 612

Ad blocking: Yes, I'll add this soon as well. I've seen so many inept ways to do it that I'd rather take a little more time to make a few scripts I personally use take on a more readable shape.

Where most fail are pointing ad servers DNS records to localhost (do I really need to explain why that doesn't work on a firewall?), force downloads of software or modules /not/ included in the base operating system, or enabling unprotected, unvetted network services to serve the single pixel file, i.e. some socket-based perl/php/python/etc.. script that runs as root from the base system. I'll avoid all that, you should as well.

Blue Pill Technology

Sunday, May 10, 2015

Configuring TLS/SSL on OpenBSD 5.7's httpd

Wednesday, May 6, 2015

Configuring OpenBSD 6.1 default unbound with dnscrypt/DNSSEC to encrypt round-robin outbound DNS lookups/queries

Blearch

Blarchive