Having issues in DNSSEC validation

Cyril_Benedict · May 20, 2011, 3:32pm

Hi All,

I have installed unbound DNS in windows machine. Normal queries were working fine without DNSSEC. But, when I tried to enable DNSSEC and validate the queries using AD bit set, its not working. Here below is my unbound.conf file,

Unbound configuration file on windows.

See example.conf for more settings and syntax

server:
verbosity: 1
statistics-interval: 30
num-threads: 1
interface: 0.0.0.0

enable cumulative statistics, without clearing them after printing.

statistics-cumulative: yes

enable extended statistics (query types, answer codes, status)

printed from unbound-control. default off, because of speed.

extended-statistics: yes

outgoing-range: 512
num-queries-per-thread: 1024

msg-cache-size: 16m
rrset-cache-size: 32m

msg-cache-slabs: 4
rrset-cache-slabs: 4

cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120

infra-cache-numhosts: 10000
infra-cache-lame-size: 10k

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes

access-control: 0.0.0.0/0 allow
access-control: 192.168.1.0/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
#access-control: 0.0.0.0/0 refuse

#chroot: “/etc/unbound”
#username: “unbound”
#directory: “/etc/unbound”
logfile: “C:\unbound.log”
#use-syslog: yes
#logfile: “”
#use-syslog: no
#pidfile: “/etc/unbound/unbound.pid”
root-hints: “C:\Program Files\Unbound\named.cache”
server: auto-trust-anchor-file: “C:\Program Files\Unbound\root.key”
server: dlv-anchor-file: “C:\Program Files\Unbound\dlv.isc.org.key”
val-log-level: 2

File with trusted keys for validation. Specify more than one file

with several entries, one file per entry.

Zone file format, with DS and DNSKEY entries.

Note this gets out of date, use auto-trust-anchor-file please.

#trust-anchor-file: “”

Harden against receiving dnssec-stripped data. If you turn it

off, failing to validate dnskey data for a trustanchor will

trigger insecure mode for that zone (like without a trustanchor).

Default on, which insists on dnssec data for trust-anchored zones.

harden-dnssec-stripped: yes

identity: “DNS”
version: “1.4”
hide-identity: yes
hide-version: yes
harden-glue: no
do-not-query-address: 127.0.0.1/8
do-not-query-localhost: yes
module-config: “validator iterator”