Track2Agenda: dnssec-unbound-enable-validation.txt

File dnssec-unbound-enable-validation.txt, 1022 bytes (added by Andy Linton, 6 years ago)
Line 
1Enabling DNSSEC validation with the root trust anchor in Unbound
2----------------------------------------------------------------
3
4You need to log in to your resolver (cache) machine, i.e. for group 1, you
5would use resolv.grp1.dns.nsrc.org, as you did in the unbound config
6exercise
7
81. Grab the root key
9
10    NOTE: This is only for the purpose of this lab - on the Internet,
11    you would simply use "unbound-anchor" to download the real root.key,
12    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
13    the key when necessary.
14
15    In this lab, ask your instructor if we are using the "RZM" or not.
16
17        Grab the key from the root server:
18
19    # scp sysadm@a.root-servers.net:root.key  /usr/local/etc/unbound/root.key
20
21    Edit the /usr/local/etc/unbound/unbound.conf file and at the end of the server: section, set:
22
23    trust-anchor-file: "/usr/local/etc/unbound/root.key"
24
252. Reload the nameserver
26
27    # service unbound restart
28
293. dig @localhost +dnssec mytld. SOA
30
31    What do you notice ?