be more helpful about instructions for installing unbound and dnssec

by mentioning the dnssec root keys, mentioning which unbound version has EDE, giving a "dig" invocation to check for dnssec results. based on issue #131 by romner-set, thanks for reporting
2025-07-12 21:34:38 +03:00 · 2024-03-07 10:47:48 +01:00
parent 4db1f5593c
commit b541646275
2 changed files with 6 additions and 4 deletions
--- a/quickstart.go
+++ b/quickstart.go
@ -175,12 +175,14 @@ WARNING: It looks like the DNS resolvers configured on your system do not
 verify DNSSEC, or aren't trusted (by having loopback IPs or through "options
 trust-ad" in /etc/resolv.conf).  Without DNSSEC, outbound delivery with SMTP
 used unprotected MX records, and SMTP STARTTLS connections cannot verify the TLS
-certificate with DANE (based on a public key in DNS), and will fallback to
+certificate with DANE (based on a public key in DNS), and will fall back to
 either MTA-STS for verification, or use "opportunistic TLS" with no certificate
 verification.

 Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
-and enable support for "extended dns errors" (EDE):
+ensure it has DNSSEC root keys (see unbound-anchor), and enable support for
+"extended dns errors" (EDE, available since unbound v1.16.0). Test with
+"dig com. ns" and look for "ad" (authentic data) in response "flags".

 cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
 server: