Experimenting with RFC 7706 on unbound

Grimson

You might have heard of RFC 7706 a proposal to cache the root zone on a local resolver to (slightly) improve resolving speed. Unbound supports it with its "Authority Zone Options" since version 1.7.0 so if you want to try it you can use the following entries in the advanced settings of the DNS resolver:

# RFC 7706
auth-zone:
  name:"."
  for-downstream: no
  for-upstream: yes
  fallback-enabled: yes
  zonefile: root.zone
  master: 192.228.79.201 # b.root-servers.net
  master: 192.33.4.12    # c.root-servers.net
  master: 192.5.5.241    # f.root-servers.net
  master: 192.112.36.4   # g.root-servers.net
  master: 193.0.14.129   # k.root-servers.net
  master: 192.0.47.132   # xfr.cjr.dns.icann.org
  master: 192.0.32.132   # xfr.lax.dns.icann.org
  master: 2001:500:84::b # b.root-servers.net
  master: 2001:500:2f::f # f.root-servers.net
  master: 2001:7fd::1    # k.root-servers.net
  master: 2620:0:2830:202::132  # xfr.cjr.dns.icann.org
  master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org

This still allows DNSSEC validation and so far seems to work fine here. With this the root zone will be cached in memory and in /var/unbound/root.zone so it doesn't have to be retrieved on every restart. Don't expect a massive speed increase, as this only affects the first step of resolving a DNS entry.

Note: This is still very experimental, so be prepared for issues. If you are on pfSense 2.4.4 I would also suggest to run a "pkg update" followed by a "pkg upgrade" on the console or via ssh to make sure unbound is at version 1.8.1.