Agenda: dnssec-unbound-enable-validation.txt

File dnssec-unbound-enable-validation.txt, 1.3 KB (added by admin, 5 years ago)
Line 
1Enabling DNSSEC validation with the root trust anchor in Unbound
2----------------------------------------------------------------
3
4You need to log in to your resolver (cache) machine, i.e. for group 1, you
5would use resolv.grp1.dns.nsrc.org, as you did in the unbound config
6exercise
7
81. Grab the root key
9
10    NOTE: This is only for the purpose of this lab - on the Internet,
11    you would simply use "unbound-anchor" to download the real root.key,
12    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
13    the key when necessary.
14
15    In this lab, ask your instructor if we are using the "RZM" or not.
16
17        With RZM
18        --------
19
20        Go to https://monitor.dnssek.org/, and copy the trust-anchor
21    statement (the ENTIRE line) from this page and paste it into
22        a file, /usr/local/etc/unbound/root.key
23
24        Without RZM
25        -----------
26
27        Grab the key from the root server:
28
29    # scp adm@a.root-servers.net:root.key  /usr/local/etc/unbound/root.key
30
31    Edit the /usr/local/etc/unbound/unbound.conf file:
32
33    Find the "trust-anchor-file:" line, and change it from:
34
35    # trust-anchor-file: ""
36
37    to
38
39    trust-anchor-file: "/usr/local/etc/unbound/root.key"
40
412. Reload the nameserver
42
43    # service unbound restart
44
453. dig @localhost +dnssec . SOA
46
47    What do you notice ?