Experimenting with RFC 7706 on unbound
-
You might have heard of RFC 7706 a proposal to cache the root zone on a local resolver to (slightly) improve resolving speed. Unbound supports it with its "Authority Zone Options" since version 1.7.0 so if you want to try it you can use the following entries in the advanced settings of the DNS resolver:
# RFC 7706 auth-zone: name:"." for-downstream: no for-upstream: yes fallback-enabled: yes zonefile: root.zone master: 192.228.79.201 # b.root-servers.net master: 192.33.4.12 # c.root-servers.net master: 192.5.5.241 # f.root-servers.net master: 192.112.36.4 # g.root-servers.net master: 193.0.14.129 # k.root-servers.net master: 192.0.47.132 # xfr.cjr.dns.icann.org master: 192.0.32.132 # xfr.lax.dns.icann.org master: 2001:500:84::b # b.root-servers.net master: 2001:500:2f::f # f.root-servers.net master: 2001:7fd::1 # k.root-servers.net master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
This still allows DNSSEC validation and so far seems to work fine here. With this the root zone will be cached in memory and in /var/unbound/root.zone so it doesn't have to be retrieved on every restart. Don't expect a massive speed increase, as this only affects the first step of resolving a DNS entry.
Note: This is still very experimental, so be prepared for issues. If you are on pfSense 2.4.4 I would also suggest to run a "pkg update" followed by a "pkg upgrade" on the console or via ssh to make sure unbound is at version 1.8.1.