Skip to content

Add optional OpenNIC root support (OPENNIC=1)#125

Open
zquestz wants to merge 1 commit into
DNSCrypt:masterfrom
zquestz:opennic
Open

Add optional OpenNIC root support (OPENNIC=1)#125
zquestz wants to merge 1 commit into
DNSCrypt:masterfrom
zquestz:opennic

Conversation

@zquestz

@zquestz zquestz commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Setting OPENNIC=1 on the container makes Unbound resolve from the OpenNIC
root instead of the ICANN root. Without the variable, nothing changes.

In OpenNIC mode, the generated config uses root-hints: "opennic.hints" and
auto-trust-anchor-file: "var/opennic.key" (seeded from the baked-in OpenNIC
KSK, then maintained via RFC 5011). The internic auth-zone and the
unbound-anchor call are skipped. The OpenNIC root carries the DS records of
the ICANN TLDs, so validation of the regular namespace is unaffected.

entrypoint.sh change: /etc/runit/2 execs env -, so service scripts never
see container env vars. start() writes the value to /etc/opennic-env and
unbound.sh reads it as a fallback.

The hints and KSK (key tag 60820) were fetched from two independent OpenNIC
servers over DoH and match the anchor published on the OpenNIC wiki. Refresh
instructions are in the README.

Tested: unbound-checkconf clean in both modes, default-mode config
unchanged. Deployed live behind dnscrypt-proxy: grep.geek resolves, and
com. SOA returns the ad flag through the OpenNIC anchor.

Let me know if there is anything you want me to adjust or improve. =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant