Hi,
Sorry if I seem a bit naive on this but what I'm trying to accomplish is probably harder than it seems.
What I want is from my resolver to use DNSSEC.
So it looks like I need to recompile everything with unbounds library and probably not use ISC's BIND resolver library. Is that correct?
Which would be impossible on a closed source operating system.
So I have it installed and it seems to work - kind of:
$ dig . +dnssec
; <<>> DiG 9.6-ESV-R4-P3 <<>> . +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10913
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
but the test web sites both return fail:
http://test.dnssec-or-not.org/ says no as well as:
http://dnssectest.sidn.nl/
So is there any use for me for this utility or was it just a nice experiment?
Thanks in advance,
alan
Alan,
What I want is from my resolver to use DNSSEC.
So it looks like I need to recompile everything with unbounds
library and probably not use ISC's BIND resolver library. Is that
correct?
No, not at all. What you have to do is get your resolver to speak to
your newly setup Unbound, by adding it's address to /etc/resolv.conf on
the client machines that should use it.
So I have it installed and it seems to work - kind of:
$ dig . +dnssec
; <<>> DiG 9.6-ESV-R4-P3 <<>> . +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10913
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
That looks ok, as long as dig is actually using your Unbound. Best to
force it to query that explicitly by specifying the IP of your Unbound
dig @127.0.0.1 +dnssec .
(supposing Unbound is on 127.0.0.1)
So is there any use for me for this utility or was it just a nice
experiment?
As mentioned above, point your /etc/resolv.conf to Unbound.
-JP
Alan,
> What I want is from my resolver to use DNSSEC.
>
> So it looks like I need to recompile everything with unbounds
> library and probably not use ISC's BIND resolver library. Is that
> correct?
No, not at all. What you have to do is get your resolver to speak to
your newly setup Unbound, by adding it's address to /etc/resolv.conf on
the client machines that should use it.
If that's all I need to do then I'm all setup.
Many thanks,
alan
That looks ok, as long as dig is actually using your Unbound. Best to
force it to query that explicitly by specifying the IP of your Unbound
dig @127.0.0.1 +dnssec .
As mentioned above, point your /etc/resolv.conf to Unbound.
Did that. Same results so it likes like I'm all set.
Thanks!,
alan