Is dnssec working?

@Valiceemo

sudo apt update
sudo apt upgrade -y
sudo apt install -y libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
sudo apt install -y build-essential libssl-dev libtool m4 autoconf libyaml-dev
git clone https://github.com/getdnsapi/getdns.git
cd getdns
git checkout master
sed -i 's#git://#https://#g' .gitmodules # fix for git checkout
git submodule update --init
libtoolize -ci
autoreconf -fi
mkdir -v build && cd build
../configure --prefix=/usr/local --without-libidn --without-libidn2 --enable-stub-only --with-ssl --with-stubby
make
sudo make install
sudo /sbin/ldconfig -v
cd ../stubby
sudo useradd stubby
sudo /usr/bin/install -Dm644 stubby.yml.example /etc/stubby.yml
sudo nano /lib/systemd/system/stubby.service
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/bin/stubby -C /etc/stubby.yml
Restart=on-abort
User=stubby

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable stubby
sudo systemctl start stubby

sudo /sbin/ldconfig -v

^
This should get stubby installed.
The code after sudo nano goes inside the stubby.service you just created.
Follow this guide I just typed. The one I linked doesn't build stubby with SSL from some reason. That's a big problem. Just let me know if you get stuck. Once the above is completed. Run sudo nano /etc/stubby.yml I recommended turning off round robin in there. You may have to enable DNSSEC cannot remember the default. You can change the other configurations to your liking. The last thing you have to do is add the stubby IP and port to the DNS section in http://pi.hole/ this is configured in the above stubby.yml

Lastly I'm on mobile rn sorry if formatting is crap

Be careful with .yml files they do not like whitespace

One more thing you might have trouble with the dependencies. You might have to search for the equivalent libs etc. sudo apt search

Example: I think libuv1 might actually be libuv10

Yes I have the hash in my config:

pi@pi-hole:~ $ cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.

include: "/etc/unbound/unbound.conf.d/*.conf"

#use ca-certificate
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes
pi@pi-hole:~ $ unbound-checkconf
/etc/unbound/unbound.conf:15: error: unknown keyword 'tls-cert-bundle'
/etc/unbound/unbound.conf:15: error: stray ':'
/etc/unbound/unbound.conf:15: error: stray '"'
/etc/unbound/unbound.conf:15: error: unknown keyword '/etc/ssl/certs/ca-certificates'
/etc/unbound/unbound.conf:15: error: stray '"'
read /etc/unbound/unbound.conf failed: 5 errors in configuration file

Get the same error with ssl-cert-bundle

Thanks @drewski for the detailed guide!
I'll give this a shot when I get a bit of spare time.

You're welcome!
I'm just trying to piece it together it's been so long.

Yes you're right.
But even with

#use ca-certificate
ssl-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

In /etc/unbound/unbound.conf.d/pi-hole.conf I still get the same error

I am giving the answers.
My unbound pihole.conf contains server: at the top with the SSL cert entry underneath.
I removed ssl-cert-bundle from the main unbound config
The certificate file is located at /etc/ssl/certs/ca-certificate.crt
Hence me declaring it there.

Can confirm the above works if you are interested. I just rebuilt stubby.

Definitely interested.
Just not able to try just yet. Will report back when I've got it going

I can make these changes, worth a try.
But the guys at the unbound git said the forward zones should be in the main unbound config

If i forward my request in TLS and my upstream is using dnssec how could tampering occur? No one can pretend to be my upstream and my upstream cannot spoof the test. So where is the danger?

I'm just making sure i have my head on straight.

Thought I'd give this a bash....failed at the first step.

pi@pi-hole:~ $ sudo apt install libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libevent-core-2.0-5' for regex 'libevent-core-2.0.5'
E: Unable to locate package libyaml

Searching for libyaml brings a few results, but I'm not sure on how to determine the best one to install

I won't be able to ssh in for a bit but I can search for what I have installed. Sometime tonight
In the meantime if you're willing you can post the options it might spark a memory

Is libyaml-dev or something similar an option?

Bingo.
Tried this one and it installed.
Just finishing of stubby install....
Expect more questions :man_shrugging:

I can send you my stubby.yml if you want. The DNS server i use is in Germany and does DNSSEC

Thanks, might help me learn.

I will do that when I sit down with putty in a bit