DNSSEC Validation

Abdalmonem_Tharwat_G · September 17, 2014, 4:43pm

Hi ,
How can I add my local zone to be DNSSEC validated in unbound ?

Abdalmonem_Tharwat_G · September 18, 2014, 6:51pm

Any update !!!

Wouter · September 19, 2014, 7:01am

Hi Adbalmonem,

You need to sign your zone. Then load the public key into unbound
(with trust-anchor-file: "myfile" and myfile is a text file with the
DNS resource records for the zone public key in it, you could simply
copy them from the zonefile).

Best regards,
Wouter

Wouter · September 19, 2014, 10:00am

Hi Abdelmeniem,

Copy the DS record in a text file:
echo " .... DS record ... " > mykeyfile

Change unbound.conf:
trust-anchor-file: "mykeyfile"

restart unbound.

Best regards,
Wouter

Abdalmonem_Tharwat_G · September 19, 2014, 11:15am

Server No 1 for UnBound "172.16.96.196":-

I am already add
trust-anchor: "myTLD. IN DS 18016 7 2 C160C68025F1909143A28296355EA3999B98A1D10752124154UC84BC 4DE82627"

service unbound restart >>> ok

Server No 2 for UnBound :-

This server contain the signed zone add to named.conf , i edited /etc/resolv.conf to point to the server no 1 "nameserver -------- ".
when i try to dig myDOmain.myTLD "A record" ,

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +dnssec myDOmain.myTLD +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50746
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;myDOmain.myTLD. IN A

;; Query time: 0 msec
;; SERVER: 172.16.96.196#53(172.16.96.196)
;; WHEN: Fri Sep 19 14:11:40 2014
;; MSG SIZE rcvd: 49

Could you advise ?
Really appreciate your replay.