| 1 | Enabling DNSSEC validation with the root trust anchor in Unbound |
|---|
| 2 | ---------------------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
|---|
| 5 | would use resolv.grp1.dns.nsrc.org, as you did in the unbound config |
|---|
| 6 | exercise |
|---|
| 7 | |
|---|
| 8 | 1. Grab the root key |
|---|
| 9 | |
|---|
| 10 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 11 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
|---|
| 13 | the key when necessary. |
|---|
| 14 | |
|---|
| 15 | In this lab, ask your instructor if we are using the "RZM" or not. |
|---|
| 16 | |
|---|
| 17 | Grab the key from the root server: |
|---|
| 18 | |
|---|
| 19 | # scp sysadm@a.root-servers.net:root.key /usr/local/etc/unbound/root.key |
|---|
| 20 | |
|---|
| 21 | Edit the /usr/local/etc/unbound/unbound.conf file and at the end of the server: section, set: |
|---|
| 22 | |
|---|
| 23 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
|---|
| 24 | |
|---|
| 25 | 2. Reload the nameserver |
|---|
| 26 | |
|---|
| 27 | # service unbound restart |
|---|
| 28 | |
|---|
| 29 | 3. dig @localhost +dnssec mytld. SOA |
|---|
| 30 | |
|---|
| 31 | What do you notice ? |
|---|
