1 | Enabling DNSSEC validation with the root trust anchor in Unbound |
---|
2 | ---------------------------------------------------------------- |
---|
3 | |
---|
4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
---|
5 | would use resolv.grp1.dns.nsrc.org, as you did in the unbound config |
---|
6 | exercise |
---|
7 | |
---|
8 | 1. Grab the root key |
---|
9 | |
---|
10 | NOTE: This is only for the purpose of this lab - on the Internet, |
---|
11 | you would simply use "unbound-anchor" to download the real root.key, |
---|
12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
---|
13 | the key when necessary. |
---|
14 | |
---|
15 | In this lab, ask your instructor if we are using the "RZM" or not. |
---|
16 | |
---|
17 | With RZM |
---|
18 | -------- |
---|
19 | |
---|
20 | |
---|
21 | Go to https://rzm.dnssek.org/, and copy the trust-anchor |
---|
22 | statement (the ENTIRE line) from this page and paste it into |
---|
23 | a file, /usr/local/etc/unbound/root.key |
---|
24 | |
---|
25 | Without RZM |
---|
26 | ----------- |
---|
27 | |
---|
28 | Grab the key from the root server: |
---|
29 | |
---|
30 | # scp sysadm@a.root-servers.net:root.key /usr/local/etc/unbound/root.key |
---|
31 | |
---|
32 | Edit the /usr/local/etc/unbound/unbound.conf file: |
---|
33 | |
---|
34 | Find the "trust-anchor-file:" line, and change it from: |
---|
35 | |
---|
36 | # trust-anchor-file: "" |
---|
37 | |
---|
38 | to |
---|
39 | |
---|
40 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
---|
41 | |
---|
42 | 2. Reload the nameserver |
---|
43 | |
---|
44 | # service unbound restart |
---|
45 | |
---|
46 | 3. dig @localhost +dnssec mytld. SOA |
---|
47 | |
---|
48 | What do you notice ? |
---|