| 1 | Enabling DNSSEC validation with the root trust anchor in Unbound |
|---|
| 2 | ---------------------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
|---|
| 5 | would use resolv.grp1.dns.nsrc.org, as you did in the unbound config |
|---|
| 6 | exercise |
|---|
| 7 | |
|---|
| 8 | 1. Grab the root key |
|---|
| 9 | |
|---|
| 10 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 11 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
|---|
| 13 | the key when necessary. |
|---|
| 14 | |
|---|
| 15 | In this lab, ask your instructor if we are using the "RZM" or not. |
|---|
| 16 | |
|---|
| 17 | With RZM |
|---|
| 18 | -------- |
|---|
| 19 | |
|---|
| 20 | Go to https://monitor.dnssek.org/, and copy the trust-anchor |
|---|
| 21 | statement (the ENTIRE line) from this page and paste it into |
|---|
| 22 | a file, /usr/local/etc/unbound/root.key |
|---|
| 23 | |
|---|
| 24 | Without RZM |
|---|
| 25 | ----------- |
|---|
| 26 | |
|---|
| 27 | Grab the key from the root server: |
|---|
| 28 | |
|---|
| 29 | # scp adm@a.root-servers.net:root.key /usr/local/etc/unbound/root.key |
|---|
| 30 | |
|---|
| 31 | Edit the /usr/local/etc/unbound/unbound.conf file: |
|---|
| 32 | |
|---|
| 33 | Find the "trust-anchor-file:" line, and change it from: |
|---|
| 34 | |
|---|
| 35 | # trust-anchor-file: "" |
|---|
| 36 | |
|---|
| 37 | to |
|---|
| 38 | |
|---|
| 39 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
|---|
| 40 | |
|---|
| 41 | 2. Reload the nameserver |
|---|
| 42 | |
|---|
| 43 | # service unbound restart |
|---|
| 44 | |
|---|
| 45 | 3. dig @localhost +dnssec . SOA |
|---|
| 46 | |
|---|
| 47 | What do you notice ? |
|---|
