Skip to content
NSS module for DNSSEC validated hostname lookups
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


    nss-ubdns - NSS module for DNSSEC validated hostname lookups

The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns
DNSSEC validated lookups to the NSS "hosts" database.  It is a replacement for
the standard libresolv based "dns" module that uses the libunbound library for
caching and validation.


nss-ubdns requires libunbound and the libunbound development headers to build.

Run "make && make install", which will build the plugin and install it to
/usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct
path for NSS plugins on your platform.


nss-ubdns reads the list of nameservers from the standard resolver
configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any
other settings are ignored.

The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to
configure the libunbound library. See the unbound.conf(5) man page for more
details. A sample libunbound.conf file that minimizes the resources consumed
by the resolver is included with nss-ubdns.

Trust anchors are configured by creating files in the /etc/nss-ubdns/keys
directory. Only files ending in ".key" will be processed. If the unbound
server is in use, any files that are in use as auto-trust-anchor-files can be
symlinked into this directory.

To configure the Name Service Switch to use nss-ubdns instead of the glibc dns
plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the
hosts database (the line beginning with "hosts:").

Note that installing nss-ubdns will cause your host to generate additional DNS
queries. You may want to install a local DNS cache to reduce the upstream
impact of this additional load.


The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be
used to test nss-ubdns.

In the following examples, "" is an unsigned zone, "" is a
signed and validatable zone, and "" is a signed but
unvalidatable zone.

    $ getent hosts; echo $?

    $ getent hosts; echo $?

    $ getent hosts; echo $?


* Aliases are not handled correctly.

nss-ubdns returns something like this when the qname is an alias:

    $ getent hosts

while nss-dns returns something like this:

    $ getent hosts

* Long-running processes will not pick up changes to /etc/nss-ubdns and
/etc/resolv.conf. (Though unpatched glibc has the same problem, see This is a limitation of
the libunbound resolver API, which cannot be reconfigured after the first
resolution has been performed.
Something went wrong with that request. Please try again.