How to use Alternative Other Root DNS server with DNSSEC validation

Hi,
There are many other Root servers other than ICANN Root servers. For
example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
(http://www.opennicproject.org/), New Nations (New-Nations.net),
Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42
(http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
(unifiedroot.com), etc.

How can i integrate all into one Unbound or into a central Unbound ? to
use their all TLDs, which are not found in default ICANN/IANA root servers.

For example, i had to add these in unbound.conf/service.conf for '42' TLD:

domain-insecure: "42"
stub-zone:
name: "42"
  stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
  stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
  stub-addr: 79.143.244.68 # 42Registry c.42tld-servers.net europe

now with the above 6 lines, i could not ping or browse the website at
"search.42" but 'dig', 'nslookup' does resolve/show successfully ns,
a , etc records.
i tried "dig 42. any +dnssec", but flag does not show 'ad' bit, only
shows 'qr rd ra'. answer does show 'SOA' with "a.42tld-servers.net.
tech.42registry.org.", and 4 'NS' shows "a/b/c/d.42tld-servers.net.".

so what is/are wrong ?
if 42 TLD supports/has DNSSEC components, then how can i use them ? or
how to enable DNSSEC for 42 TLD ?

Similar like above, i added domain-insecure and stub-zone for .bit TLD
in 'unbound.conf' / 'service.conf' file. The 'ping', 'nslookup', 'dig'
etc worked on the http://dot-bit.bit/ site/host/domain.

The CesidianRoot proper, root dns server/system, has at least 84 TLDs of
their own. And they can also resolve other TLDs from other root dns
servers.
i added all of them (cesidianRoot and other root's TLDs) in this way,
i'm showing only few TLD example instead of all 84 TLDs here:

domain-insecure: "5wc"
domain-insecure: "cesidio"
domain-insecure: "linna"
domain-insecure: "free"
...
stub-zone:
name: "cesidianroot-dnsSrv-randNum1.net"
  stub-addr: 178.254.3.55 # Master CesidianRoot.net Root Server
  stub-addr: 50.77.217.162 # CesidianRoot.net North America
  stub-addr: 199.193.252.198 # CesidianRoot.net North America
  stub-addr: 78.47.115.194 # CesidianRoot.net Europe
  stub-addr: 78.47.115.197 # CesidianRoot.net Europe
  stub-addr: 122.155.6.181 # CesidianRoot.net South-East Asia
  stub-addr: 182.163.74.213 # CesidianRoot.net South-East Asia
  stub-addr: 116.90.134.19 # CesidianRoot.net Australia & Ocenia
  stub-addr: 200.58.125.62 # CesidianRoot.net South America
  stub-addr: 196.41.137.142 # CesidianRoot.net Sub-Saharan Africa
stub-zone:
name: "5wc"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
name: "cesidio"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
name: "linna"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
name: "free"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
...

but when i tried to do ping/nslookup/dig on any TLD randomly from
CesidianRoot, then none of the tool worked. !

What is/are wrong ? i used this "cesidianroot-dnsSrv-randNum1.net"
domain-name because such does not exist in real-life. do i need to
define/declare 'ns' & 'cesidianroot-dnsSrv-randNum1.net' which are used
in stub-host : "ns.cesidianroot-dnsSrv-randNum1.net" line ?

And please help me to have a solution, where i dont have to use those 10
stub-addr dns server of CesidianRoot for all of those 84 TLDs for 84
times, then it will become at least 11 x 84 lines of codes ! how can i
reduce line numbers ?

if cesidianroot TLDs supports/has DNSSEC components/records, then how
can i use them or how to enable DNSSEC for CesidianRoot ?

CesidianRoot can also resolve TLDs authoritatively maintained by
New-Nations.net root system, and i-DNS.net Root system. All of those
TLDs are currently using 'ns.cesidianroot-dnsSrv-randNum1.net' as
stub-host currently in 'service.conf' / 'unbound.conf' file. Since
CesidinaRoot is not SOA / AA / DS of New-Nations.net & i-DNS.net TLDs,
am i suppose to change the stub-host of those TLDs from
'ns.cesidianroot-dnsSrv-randNum1.net' into
'ns.new-nations-net-dnsSrv-randNum1.net' /
'ns.i-dns-net-dnsSrv-randNum1.net' ?

if i could use CesidianRoot with DNSSEC via unbound (along with the
default ICANN provided TLDs), then i could apply similar method/approach
for other root dns server, which are similar.

by the way, your irc channel #unbound in irc.freenode.net is very
in-active, and some users who did post some messages, instead of helping
out, they question the 'question' ! or question the 'user' who is
posting the question or asking for help ! instead of asking more about
the problem itself, and what can be done to solve it ! very unfriendly
attitudes. Most likely these users does not like to help others, or
grumpy, or busy with something else, or expecting something else from users.

in website, please add sha1, sha256 hash/checksum of windows binary
files, thanks.

Thanks for your all help.
~ Bry8Star.

Hi,

Hi,

There are many other Root servers other than ICANN Root servers. For
example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
(http://www.opennicproject.org/), New Nations (New-Nations.net),
Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42
(http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
(unifiedroot.com), etc.

How can i integrate all into one Unbound or into a central Unbound ? to
use their all TLDs, which are not found in default ICANN/IANA root servers.

That is gonna be an interresting journey to get that working if you want
DNSSEC.

Extra root servers, especially with DNSSEC, seems kind of unlikely to me.

As the ICANN root is signed, you can't really add other data to a signed zone
at the same level as far as I know.

Extra TLD's should be possible.

You'll need a stub-zone and (auto-)trust-anchor for each TLD that supports DNSSEC.

However a validating resolver on a desktop/laptop/mobile device which does not
have that installed would reject the data.

Not many of those around though. Not yet anyway, but Chrome already has a DNSSEC-validator,
they are adding a DNS-resolver and they have a way of updating the root key.

The solution for not having to create such a large configuration file might
be that someone, probably the alternative root or TLD operators, could create
a DLV-registery.

That might help.

But I'm not expert on DLV.

> Hi,

Hi,

> There are many other Root servers other than ICANN Root servers. For
> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
> (http://www.opennicproject.org/), New Nations (New-Nations.net),
> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42
> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
> (unifiedroot.com), etc.
>
> How can i integrate all into one Unbound or into a central Unbound ? to
> use their all TLDs, which are not found in default ICANN/IANA root servers.
>

That is gonna be an interresting journey to get that working if you want
DNSSEC.

Extra root servers, especially with DNSSEC, seems kind of unlikely to me.

As the ICANN root is signed, you can't really add other data to a signed zone
at the same level as far as I know.

Extra TLD's should be possible.

You'll need a stub-zone and (auto-)trust-anchor for each TLD that supports DNSSEC.

However a validating resolver on a desktop/laptop/mobile device which does not
have that installed would reject the data.

I should probably add:

As the above is the case, I wouldn't be surprised that this won't work in 5 or 10 years.

It might be that by then a significant number of hosts will have a DNSSEC-validator
and enabled by default.

If you run an alternative TLD, it would be a good idea in the long run to look
at registering your TLD at ICANN.

The other alternative is browser- or OS-addons which handle the alternative TLDs, but
as more and more different devices get Internet enabled. It might need to be created
for many platforms.

The solution for not having to create such a large configuration file might
be that someone, probably the alternative root or TLD operators, could create
a DLV-registery.

DLV is basically a DNS zone which contains a DLV RR for each domain it
handles. The rdata of the DLV is what you'd normally put in the DS RR
for the zone.

e.g.

$ dig +noall +answer qupps.biz DS
qupps.biz. 3899 IN DS 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86

$ dig +noall +answer qupps.biz.dlv.isc.org DLV
qupps.biz.dlv.isc.org. 3356 IN DLV 27112 5 1 483610EFD4991F0AC114F44747061E3603D56C86

Regards,

        -JP

It was mostly the details I wasn't sure about.

The first thing I would try is to create an alternative unsigned root and a DLV-repository
with all the signed TLDs, then you add a trust-anchor for the domain of the DLV-repository
to the recursor. I would guess that would work.

I would guess that would work.

Sure, that'll work. (and then somebody can get rich fast.

        -JP

There are many other Root servers other than ICANN Root servers. For
example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
(http://www.opennicproject.org/), New Nations (New-Nations.net),
Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42
(http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
(unifiedroot.com), etc.

And we had alternic, alternet, .bofh and many others. They all died.

How can i integrate all into one Unbound or into a central Unbound ? to
use their all TLDs, which are not found in default ICANN/IANA root servers.

How are you going to deal with overlapping domain names?

For example, i had to add these in unbound.conf/service.conf for '42' TLD:

domain-insecure: "42"
stub-zone:
name: "42"
stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
stub-addr: 79.143.244.68 # 42Registry c.42tld-servers.net europe

Try using forward zone? either in config or using:

sudo unbound-control forward_add 42 91.191.147.246 91.191.147.243 79.143.244.68

if 42 TLD supports/has DNSSEC components, then how can i use them ? or
how to enable DNSSEC for 42 TLD ?

You can preload any dnssec key with trusted-keys-file: What you are doing (at the root) is not much different from adding
"private views" higher up. So googling for "bind views" might help you
as well.

by the way, your irc channel #unbound in irc.freenode.net is very
in-active, and some users who did post some messages, instead of helping
out, they question the 'question' ! or question the 'user' who is
posting the question or asking for help ! instead of asking more about
the problem itself, and what can be done to solve it ! very unfriendly
attitudes. Most likely these users does not like to help others, or
grumpy, or busy with something else, or expecting something else from users.

What you are trying to accomplish is wrong. Scattering roots and losing
the global agreement on an address is just bad. I recommend you read:

http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

Paul

Thanks Leen Besselink & Jan-Piet Mens.
I now have bit better understanding, related to DLV registry & DNSSEC.
So it should be added/done by the Authority (Alternative Root DNS
operator) who is maintaining (set of) TLDs, outside of icann/iana.

So for a better & successful DNSSEC validation, other than adding their
own DS, RRSIG records for set of TLDs, a TLD / AltRootDns operator needs
to add some of those record info inside DLV registry as well.

pls see my other email for other issues i'm having.

Here is my config file, please see what is wrong:

# BEGIN of service.conf / unbound.conf file
server:
verbosity: 3
statistics-interval: 0
statistics-cumulative: "no"
extended-statistics: "no"
num-threads: 2
interface: 127.0.0.1
interface: 192.168.0.10
interface: ::1
interface-automatic: "no"
port: 53
outgoing-interface: 192.168.0.10
outgoing-range: 400
outgoing-port-permit: 52000-56096
outgoing-port-avoid:
"22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300"
outgoing-num-tcp: 10
incoming-num-tcp: 10
so-rcvbuf: 8m
so-sndbuf: 8m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 24m
msg-cache-slabs: 4
num-queries-per-thread: 200
jostle-timeout: 200
rrset-cache-size: 48m
rrset-cache-slabs: 4
cache-min-ttl: 0
cache-max-ttl: 21600
infra-host-ttl: 900
infra-cache-slabs: 4
infra-cache-numhosts: 10000
do-ip4: "yes"
do-ip6: "no" # for now
do-udp: "yes"
do-tcp: "yes"
tcp-upstream: "no"
do-daemonize: "yes"
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.10/24 allow
access-control: ::1 allow
logfile: "C:\Program Files\Unbound\unbound.log"
use-syslog: "no"
log-time-ascii: "yes"
log-queries: "no"
root-hints: "C:\Program Files\Unbound\named.cache"
hide-identity: "yes"
hide-version: "yes"
identity: "DNS"
version: "1.0.0"
target-fetch-policy: "3 2 1 1 1 1"
harden-short-bufsize: "no"
harden-large-queries: "no"
harden-glue: "yes"
harden-dnssec-stripped: "yes"
harden-below-nxdomain: "no"
harden-referral-path: "no"
use-caps-for-id: "no"
unwanted-reply-threshold: 1000
prefetch: "yes"
prefetch-key: "yes"
rrset-roundrobin: "yes"
minimal-responses: "no"
module-config: "validator iterator"
dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
# Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key
# DLV, DNS Lookaside Validation, for the root
auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#trust-anchor-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Standard DNS Zone file format, with DS, DNSKEY entries.
#trusted-keys-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Like trust-anchor-file, but in BIND-9 format.
domain-insecure: "42"
domain-insecure: "ovh"
domain-insecure: "bit"
domain-insecure: "ita"
domain-insecure: "geek"
# other TLDs that are inside other AltRootDNS
val-bogus-ttl: 60
val-sig-skew-max: 86400
val-clean-additional: "yes"
val-permissive-mode: "no"
ignore-cd-flag: "yes"
val-log-level: 2
#val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
key-cache-size: 24m
key-cache-slabs: 4
neg-cache-size: 4m
local-zone: "onion." refuse # disallow via public route
local-zone: "i2p." refuse # suppose to go via proxy route
remote-control:
control-enable: "no"
stub-zone:
name: "42" # http://42registry.org/
stub-addr: 91.191.147.246 # name / DNS Srvr
stub-addr: 91.191.147.243
stub-addr: 79.143.244.68
# test with "search.42"
stub-zone:
name: "ovh" # http://ovh.co.uk/
stub-addr: 213.251.128.133 # name / DNS Srvr
stub-addr: 213.251.188.133
stub-zone:
name: "bit" # http://dot-bit.org
stub-addr: 178.32.31.41 # name / DNS Srvr
stub-addr: 108.174.61.249
stub-addr: 78.47.86.43
stub-addr: 96.127.133.37
stub-addr: 69.194.226.23
stub-addr: 194.71.109.237
# test with "dot-bit.bit"
# OpenNIC : http://www.opennicproject.org/ :
# TLDs: .geek, .free, .bbs, .parody, .oss,
# .indy, .fur, .ing, .micro, .dyn, .neo,
# .pirate, gopher and null.
stub-zone:
name: "opennicproj-rtDnsSrvr-randNum01.com"
stub-addr: 66.244.95.20 # name / DNS Srvr
stub-addr: 74.207.247.4
stub-addr: 216.87.84.211
stub-addr: 66.90.81.200
stub-addr: 94.23.246.31
stub-addr: 95.142.171.235
stub-addr: 82.237.169.10
stub-addr: 202.83.95.227
stub-addr: 58.6.115.42
stub-prime: no
stub-first: no
stub-zone:
name: "geek"
stub-host: "ns.opennicproj-rtDnsSrvr-randNum01.com"
# test with "grep.geek"
# ... around 14 OpenNIC TLDs
# CesidianRoot : http://www.cesidianroot.net/
# Cesidian Root proper (84 TLDs), they also resolve
# other Alt Root DNS's TLDs
stub-zone: # http://www2.world-dns.net/
name: "cesidianroot-dnsSrvr-randNum02.net"
stub-addr: 178.254.3.55 # name/DNS server
stub-addr: 50.77.217.162
stub-addr: 199.193.252.198
stub-addr: 78.47.115.194
stub-addr: 78.47.115.197
stub-addr: 122.155.6.181
stub-addr: 182.163.74.213
stub-addr: 116.90.134.19
stub-addr: 200.58.125.62
stub-addr: 196.41.137.142
stub-zone:
name: "ita"
stub-host: "ns.cesidianroot-dnsSrvr-randNum02.net"
# test with "governo.ita"
# ... around 84 CesidinaRoot TLDs
forward-zone:
name: "."
forward-addr: i.p.adrs.1 # AT&T ISP # Recursive/Caching
forward-addr: i.p.adrs.2 # AT&T ISP # Recursive/Caching
# END of service.conf / unbound.conf file

i can at least (inconsistently) do ping or nslookup or dig on test sites
in 42, ovh, bit TLDs,
but, could not do so for test sites in TLDs like geek, ita.

Thanks for your help in advance,
Bry8Star.

Hi Leen, Paul,

You'll need a stub-zone and (auto-)trust-anchor for
each TLD that supports DNSSEC.

if 42 TLD supports/has DNSSEC components, then
how can i use them ? or
how to enable DNSSEC for 42 TLD ?

You can preload any dnssec key with trusted-keys-file:
What you are doing (at the root) is not much different
from adding "private views" higher up. So googling for
"bind views" might help you as well.

For example, let us assume, '42' TLD has it's own DS, RRSIG, etc DNSSEC
records for the "42." TLD, then doing such would be suffice in
service.conf or in unbound.conf ? :
# removed or 'commented-out' the below line
#domain-insecure: "42"
stub-zone:
name: "42" # http://42registry.org/
stub-addr: 91.191.147.246 # name / DNS Srvr
stub-addr: 91.191.147.243
stub-addr: 79.143.244.68
# test with "search.42"
trust-anchor-file: "C:\Program Files\Unbound\42registry.42.key"

(Now hypothetically) if cesidianRoot signs all of their 84 TLDs which
are under their authority, with similar/same key, then, do i have to add
84 "trust-anchor-file: "filename" lines ?

Thanks for all of your help on these.
Bry8Star.

What you are trying to accomplish is wrong. Scattering roots and losing
the global agreement on an address is just bad. I recommend you read:

http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

I totally agree about not wanting to break the current global namespace.

I currently don't have a reason I'd want to change anything. Althought ICANN sometimes make strange decisions when looking at it from a far. Maybe make it harder
for the root to change something others might not like. There is obviously a whole process in place to handle root changes. So I don't expect anyone to do changes
at the root easily.

So I commented on the blog (still needs to be approved):

This is really not the right list to discuss this.

So all we really need is some way of keeping the root in check, some safety net.

It's called root server operators.

Why not create 5 roots that all serve the same data, the same data the original root serves. Just like a lot of the alternative roots we had in the past.

We already have (something like) that. (Almost) each root server has
different operator and at least some of them doesn't blindly accept
anything which comes from Verisign/IANA.

O.

This is really not the right list to discuss this.

Yeah, sorry.

There are many other Root servers other than ICANN Root servers. For
example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
(http://www.opennicproject.org/), New Nations (New-Nations.net),
Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42
(http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
(unifiedroot.com), etc.

And we had alternic, alternet, .bofh and many others. They all died.

and new ones are also starting up, you did not mentioned those !

How can i integrate all into one Unbound or into a central Unbound ? to
use their all TLDs, which are not found in default ICANN/IANA root
servers.

How are you going to deal with overlapping domain names?

it would be upto end-user like me to choose which one i want to reach,
or, what technique i can apply to reach into both area. What do you
suggest to solve a problem like this ? how can i reach both side ? could
i re-map such one TLD onto another one or add '2' at end, and use ? How
to do that on 'Unbound' ?

For example, i had to add these in unbound.conf/service.conf for '42'
TLD:

domain-insecure: "42"
stub-zone:
name: "42"
stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
stub-addr: 79.143.244.68 # 42Registry c.42tld-servers.net europe

Try using forward zone? either in config or using:

sudo unbound-control forward_add 42 91.191.147.246 91.191.147.243
79.143.244.68

i'm not understanding your command, what will it do ? currently 42 is
resolving fine, please see my other email. the mentioned IP addresses
are their nameservers, aren't nameservers suppose to be added inside
'stub-zone' in unbound ? those are not able to resolve icann/iana root
TLDs. and i dont remote control unbound.

if 42 TLD supports/has DNSSEC components, then how can i use them ? or
how to enable DNSSEC for 42 TLD ?

You can preload any dnssec key with trusted-keys-file: What you are
doing (at the root) is not much different from adding
"private views" higher up. So googling for "bind views" might help you
as well.

Thanks. Need an unbound config file commands/options. Please response
using the other email on this.

by the way, your irc channel #unbound in irc.freenode.net is very
in-active, and some users who did post some messages, instead of helping
out, they question the 'question' ! or question the 'user' who is
posting the question or asking for help ! instead of asking more about
the problem itself, and what can be done to solve it ! very unfriendly
attitudes. Most likely these users does not like to help others, or
grumpy, or busy with something else, or expecting something else from
users.

What you are trying to accomplish is wrong. Scattering roots and losing
the global agreement on an address is just bad. I recommend you read:

http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

Paul

Hello Paul, TRY to see what kind of mistake you are doing: you are
saying me "What you are trying to accomplish is wrong" ! ... please
direct that to alternative Root server operators or related person, and,
also to icann/iana related person. Not an end user like me. End user
like me who is trying to use 'Unbound' like DNS resolver (and not a DNS
server) on end-user OS like Windows XP,7, will use what already exists.

Probably, if you read carefully, you will see, my target is to integrate
and use TLDs that are already in icann/iana/etc, AND also use other TLDs
that are in other alternative root servers. 'Unbound' by default already
uses ICANN/iana/etc, want to resolve/add more TLDs which they cannot
resolve.

I'm in mailing list, and started this email-thread, in the hope that
there may be some people who are willing help on to get a working
solution, not for discussing other issues.

> What you are trying to accomplish is wrong. Scattering roots and losing
> the global agreement on an address is just bad. I recommend you read:
>
> http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/
>
>
> Paul

Hello Paul, TRY to see what kind of mistake you are doing: you are
saying me "What you are trying to accomplish is wrong" ! ... please
direct that to alternative Root server operators or related person, and,
also to icann/iana related person. Not an end user like me. End user
like me who is trying to use 'Unbound' like DNS resolver (and not a DNS
server) on end-user OS like Windows XP,7, will use what already exists.

An end user like you explicitly *chooses* to use "alternative" roots.
If you choose to do so, you better be prepared to hear that some of
us regard it as wrong/stupid/whatever.

I'm in mailing list, and started this email-thread, in the hope that
there may be some people who are willing help on to get a working
solution, not for discussing other issues.

Maybe you'll get help, and maybe you won't. I, for one, am not going
to use my time on "alternative" roots.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

Great, further tests has given some successful results: some
good/improvement & few bad/unsolved:

Below config file worked on WinXP
to resolve such TLDs: '42', 'geek' (1 TLD of OpenNIC), 'ita' (1 TLD of
CesidianRoot), 'ovh', 'xn--e1apq' (1 TLD of i-DNS.net).

But could not resolve 'bit', 'ti' (1 TLD of New-Nations.net)

# BEGIN of service.conf / unbound.conf file
# Last Modified 2012-08-27 23:05
# Copyright (C) 2012 Bry8Star. (bry8 star a.t ya hoo d.o.t c om)
server:
verbosity: 3
statistics-interval: 0
statistics-cumulative: "no"
extended-statistics: "no"
num-threads: 2
interface: 127.0.0.1
interface: 192.168.0.10
interface: ::1
interface-automatic: "no"
port: 53
outgoing-interface: 192.168.0.10
outgoing-range: 400
outgoing-port-permit: 52000-56096
outgoing-port-avoid:
"22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300"
outgoing-num-tcp: 8
incoming-num-tcp: 8
so-rcvbuf: 8m
so-sndbuf: 8m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 24m
msg-cache-slabs: 4
num-queries-per-thread: 200
jostle-timeout: 200
rrset-cache-size: 48m
rrset-cache-slabs: 4
cache-min-ttl: 0
cache-max-ttl: 21600
infra-host-ttl: 900
infra-cache-slabs: 4
infra-cache-numhosts: 10000
do-ip4: "yes"
do-ip6: "no" # for now
do-udp: "yes"
do-tcp: "yes"
tcp-upstream: "no"
do-daemonize: "yes"
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.10/24 allow
access-control: ::1 allow
logfile: "C:\Program Files\Unbound\unbound.log"
use-syslog: "no"
log-time-ascii: "yes"
log-queries: "no"
root-hints: "C:\Program Files\Unbound\named.cache"
hide-identity: "yes"
hide-version: "yes"
identity: "DNS"
version: "1.0.0"
target-fetch-policy: "3 2 1 1 1 1"
harden-short-bufsize: "no"
harden-large-queries: "no"
harden-glue: "yes"
harden-dnssec-stripped: "yes"
harden-below-nxdomain: "no"
harden-referral-path: "no"
use-caps-for-id: "no"
unwanted-reply-threshold: 1000
prefetch: "yes"
prefetch-key: "yes"
rrset-roundrobin: "yes"
minimal-responses: "no"
module-config: "validator iterator"
dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
# Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key
# DLV, DNS Lookaside Validation, for the root
auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#trust-anchor-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Standard DNS Zone file format, with DS, DNSKEY entries.
#trusted-keys-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Like trust-anchor-file, but in BIND-9 format.
domain-insecure: "42"
domain-insecure: "ovh"
domain-insecure: "bit"
domain-insecure: "ita"
domain-insecure: "geek"
domain-insecure: "glue"
domain-insecure: "xn--e1apq"
# Other domain-insecure TLDs
# which are inside other AltRootDNS
# and does not have DNSSEC record, key yet
val-bogus-ttl: 60
val-sig-skew-max: 86400
val-clean-additional: "yes"
val-permissive-mode: "no"
ignore-cd-flag: "yes"
val-log-level: 2
#val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
key-cache-size: 24m
key-cache-slabs: 4
neg-cache-size: 4m
# Blocking below TLDs
local-zone: "onion." refuse # disallow via public route
local-zone: "i2p." refuse # suppose to go via proxy route
remote-control:
control-enable: "no"
stub-zone:
name: "42" # http://42registry.org/
stub-host: a.42tld-servers.net. # name / DNS Srvr
stub-host: b.42tld-servers.net.
stub-host: c.42tld-servers.net.
stub-host: d.42tld-servers.net.
# GeekNode OpenResolvers:
stub-addr: 81.93.248.69
stub-addr: 81.93.248.68
stub-addr: 91.194.60.196
stub-addr: 193.17.192.53
# Psilo.fr resolvers:
stub-addr: 109.235.51.12
stub-addr: 85.17.236.67
# test above with "search.42" , "nic.42"
stub-zone:
name: "ovh" # http://ovh.co.uk/
stub-addr: 213.251.128.133 # name / DNS Srvr
stub-addr: 213.251.188.133
stub-zone:
name: "bit" # http://dot-bit.org , NameCoin
stub-host: ns.dot-bit.bit. # name / DNS Srvr
stub-addr: 178.32.31.41 # ns.dot-bit.bit
stub-addr: 108.174.61.249
stub-addr: 78.47.86.43
stub-addr: 96.127.133.37
stub-addr: 69.194.226.23
stub-addr: 194.71.109.237
stub-addr: 2001:41d0:2:a5d9::101 # ns.dot-bit.bit
# test above with "dot-bit.bit"
# New-Nations.net has 6 TLDs: (now showing only 1 below)
stub-zone:
name: "ti"
stub-host: ns1.new-nations.ti.
stub-host: ns2.new-nations.ti.
stub-addr: 88.84.130.20 # ns1.New-Nations.net West Asia
stub-addr: 194.50.176.206 # ns2.New-Nations.net West Asia
# OpenNIC : http://www.opennicproject.org/ :
# 14 TLDs: .geek, .free, .bbs, .parody, .oss,
# .indy, .fur, .ing, .micro, .dyn, .neo,
# .pirate, gopher and null.
# Showing only 2 out of 14 TLD below:
stub-zone:
name: "geek"
stub-host: ns2.opennic.glue.
stub-host: ns3.opennic.glue.
stub-host: ns4.opennic.glue.
stub-host: ns5.opennic.glue.
stub-host: ns6.opennic.glue.
stub-host: ns7.opennic.glue.
stub-host: ns8.opennic.glue.
stub-host: ns21.opennic.glue.
stub-zone:
name: "glue"
stub-host: ns2.opennic.glue.
stub-host: ns3.opennic.glue.
stub-host: ns4.opennic.glue.
stub-host: ns5.opennic.glue.
stub-host: ns6.opennic.glue.
stub-host: ns7.opennic.glue.
stub-host: ns8.opennic.glue.
stub-host: ns21.opennic.glue.
# test above with "grep.geek"
# CesidianRoot : http://www.cesidianroot.net/
# Cesidian Root proper has 84 TLDs,
# Showing only 1 out 84 TLDs
stub-zone: # http://www2.world-dns.net/
name: "ita"
stub-host: ns1.cesidio.net.
stub-host: ns4.cesidio.net.
stub-host: ns9.cesidian.info.
# test above with "governo.ita"
# i-DNS.net has many multi-linugual supported TLDs
# Showing only 1 of the TLD below:
stub-zone: # (Russian, Punycode form, .нет or .net)
name: "xn--e1apq"
stub-host: nsa.i-dns.net.
stub-host: nsb.i-dns.net.
stub-host: nsc.i-dns.net.
stub-host: nsd.i-dns.net.
stub-addr: 64.62.142.131
stub-addr: 195.161.113.189
stub-addr: 211.169.245.170
stub-addr: 120.50.44.141
# TLD '42':
forward-zone:
name: "a.42tld-servers.net"
forward-addr: 91.191.147.246
forward-zone:
name: "b.42tld-servers.net"
forward-addr: 91.191.147.243
forward-zone:
name: "c.42tld-servers.net"
forward-addr: 79.143.244.68
forward-addr: 2a01:678:fff:42:42::
forward-zone:
name: "d.42tld-servers.net"
forward-addr: 83.169.77.117
# TLD 'bit':
forward-zone:
name: "ns.dot-bit.bit"
forward-addr: 178.32.31.41
forward-addr: 2001:41d0:2:a5d9::101
# New-Nations.net TLD:
forward-zone:
name: "ns1.new-nations.ti"
forward-addr: 88.84.130.20
forward-zone:
name: "ns2.new-nations.ti"
forward-addr: 194.50.176.206
# CesidianRoot TLDs:
forward-zone:
name: "ns1.cesidio.net"
forward-addr: 78.47.115.193
forward-zone:
name: "ns4.cesidio.net"
forward-addr: 78.47.115.196
forward-zone:
name: "ns9.cesidian.info"
forward-addr: 84.200.208.231
forward-addr: 2001:1608:12:0:7862:ab14:ef56:102
# i-DNS.net TLDs:
forward-zone:
name: "nsa.i-dns.net"
forward-addr: 64.62.142.131
forward-zone:
name: "nsb.i-dns.net"
forward-addr: 195.161.113.189
forward-zone:
name: "nsc.i-dns.net"
forward-addr: 211.169.245.170
forward-zone:
name: "nsd.i-dns.net"
forward-addr: 120.50.44.141
# OpenNIC TLDs:
forward-zone:
name: "ns2.opennic.glue"
forward-addr: 216.87.84.210
forward-addr: 2001:470:8388:10:0:100:53:10
forward-zone:
name: "ns21.opennic.glue"
forward-addr: 202.83.95.229
forward-zone:
name: "ns3.opennic.glue"
forward-addr: 199.30.58.57
forward-addr: 2001:470:8ca1::53
forward-zone:
name: "ns4.opennic.glue"
forward-addr: 84.200.228.200
forward-zone:
name: "ns5.opennic.glue"
forward-addr: 128.177.28.254
forward-zone:
name: "ns6.opennic.glue"
forward-addr: 207.192.71.13
forward-addr: 2002:cfc0:470d::1
forward-zone:
name: "ns7.opennic.glue"
forward-addr: 66.244.95.11
forward-addr: 2001:470:1f10:c6::11
forward-zone:
name: "ns8.opennic.glue"
forward-addr: 178.63.116.152
forward-addr: 2a01:4f8:110:6221::999
# Default Root Zone TLDs:
# forward-zone:
# name: "."
# forward-addr: i.p.adrs.1 # My ISP # Recursive/Caching
# forward-addr: i.p.adrs.2 # My ISP # Recursive/Caching
# END of service.conf / unbound.conf file

Can anyone help me further to fix mentioned problems in above ?

Thanks in advance,

Bry8Star.