Hi all,
I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
my local hostnames, provide me with DNSSEC and IPv6 support.
My 1st question is a general DNSSEC question. What do I need to have on my
desktop pc to have Firefox with the DNSSEC Validator addon to validate
DNSSEC-enabled websites? I have installed Unbound on my server (Debian 6.0)
and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
does not seem to work. So I also installed Unbound on my desktop, and then
it seems to work. Is this how it's supposed to work?
My 2nd question is related to the 1st one. I have defined some local-data
in my unbound.conf on my server for the hostnames in my local LAN. This was
working for on both my server and desktop when I has Unbound only on the
server. When I installed it also on my desktop, Unbound on my desktop
obviously resolved everything and my local hostnames were not found. Then I
tried creating a forward-zone on my desktop pointed all queries to my
server. This too does not work for my local hostnames. How do I set this
up? Of course I only want to define my hostnames only ones...
Regards,
Marcel
Hi all,
I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
my local hostnames, provide me with DNSSEC and IPv6 support.
My 1st question is a general DNSSEC question. What do I need to have on my
desktop pc to have Firefox with the DNSSEC Validator addon to validate
DNSSEC-enabled websites? I have installed Unbound on my server (Debian 6.0)
That depends on how the firefox plugin works. It may DNSSEC itself, and merely require a DNSSEC-aware upstream resolver. Or it may require the upstream resolver to do DNSSEC and set the "ad" flag.
and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
does not seem to work. So I also installed Unbound on my desktop, and then
it seems to work. Is this how it's supposed to work?
Care to be more specific about what "does not seem to work" means?
With unbound on your server, you should be able to do:
dig +dnssec @server <signed name>
...and get back a response with the "ad" flag set e.g.
$ dig +dnssec org ns
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
^^ AD flag set
Hi all,
I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
my local hostnames, provide me with DNSSEC and IPv6 support.
My 1st question is a general DNSSEC question. What do I need to have on my
desktop pc to have Firefox with the DNSSEC Validator addon to validate
DNSSEC-enabled websites? I have installed Unbound on my server (Debian
6.0)
That depends on how the firefox plugin works. It may DNSSEC itself, and
merely require a DNSSEC-aware upstream resolver.
Or it may require the
upstream resolver to do DNSSEC and set the "ad" flag.
This one, but we are thinking to move it closer to application and do
validation inside DNSSEC Validator.
and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
does not seem to work. So I also installed Unbound on my desktop, and then
it seems to work. Is this how it's supposed to work?
Care to be more specific about what "does not seem to work" means?
With unbound on your server, you should be able to do:
dig +dnssec @server <signed name>
...and get back a response with the "ad" flag set e.g.
$ dig +dnssec org ns
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
^^ AD flag set
O.
Ondřej Surý wrote:
>>
>> Hi all,
>>
>> I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
>> my local hostnames, provide me with DNSSEC and IPv6 support.
>>
>> My 1st question is a general DNSSEC question. What do I need to have on my
>> desktop pc to have Firefox with the DNSSEC Validator addon to validate
>> DNSSEC-enabled websites? I have installed Unbound on my server (Debian
>> 6.0)
>
>
> That depends on how the firefox plugin works. It may DNSSEC itself, and
> merely require a DNSSEC-aware upstream resolver.
> Or it may require the
> upstream resolver to do DNSSEC and set the "ad" flag.
This one, but we are thinking to move it closer to application and do
validation inside DNSSEC Validator.
>> and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
>> does not seem to work. So I also installed Unbound on my desktop, and then
>> it seems to work. Is this how it's supposed to work?
>
>
> Care to be more specific about what "does not seem to work" means?
>
> With unbound on your server, you should be able to do:
>
> dig +dnssec @server <signed name>
>
> ...and get back a response with the "ad" flag set e.g.
>
> $ dig +dnssec org ns
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
> ^^ AD flag set
if the validator plugin requires the AD flag then that explains the
poster's different results between debian and ubuntu.
the "ubuntu" unbound package is pretty much just the debian unbound
package (with the minor exception that, because ubuntu releases so
often, they end up doing more security updates for their distribution's
releases), and i introduced DNSSEC validation by default (with the help
of unbound-anchor) in versions >= 1.4.9-1, which is after the stable
release of debian (6.0/squeeze), but has probably been included in
several ubuntu releases by now. also note that newer unbound packages
for debian stable that do DNSSEC validation by default are available in
the debian backports repository.
Orthogonally, You might want to check if your network environment is suitable with respect to EDNS0 and UDP packet sizes and there are no weird network elements blocking your DNS view to the authoritative world. A quick way for finding that out is running netalyzr (http://netalyzr.icsi.berkeley.edu/)
--Olaf
Hi,
With unbound on your server, you should be able to do:
dig +dnssec @server <signed name>
...and get back a response with the "ad" flag set e.g.
$ dig +dnssec org ns
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
^^ AD flag set
When I type this command on both my server and desktop machine, I don't see
the AD flag.
I this with dig version 9.7.3.
if the validator plugin requires the AD flag then that explains the
poster's different results between debian and ubuntu.
the "ubuntu" unbound package is pretty much just the debian unbound
package (with the minor exception that, because ubuntu releases so
often, they end up doing more security updates for their distribution's
releases), and i introduced DNSSEC validation by default (with the help
of unbound-anchor) in versions >= 1.4.9-1, which is after the stable
release of debian (6.0/squeeze), but has probably been included in
several ubuntu releases by now. also note that newer unbound packages
for debian stable that do DNSSEC validation by default are available in
the debian backports repository.
Unbound version on server (Debian): 1.4.14-2~bpo60+1
Unbound version on Ubuntu: 1.4.12-1ubuntu1
Marcel
Nice toy! All seems fine except for some problem with fragmented IPv6
packets and blocked Windows networking (duh!).
Not sure if it's needed or important, but I have "options edns0" in my
/etc/resolv.conf (on my Ubuntu desktop).
Marcel
This now works. I have solved it by adding the following line to my
unbound.conf on my server:
auto-trust-anchor-file: "/etc/unbound/root.key"
I thought this path would be the default path and was not needed to
specify. But it is. I removed unbound from my desktop pc as it's not needed.
Maybe unbound-anchor should add this line to unbound.conf automatically or
at least check/warn the user if it is incorrect.
Thanks all for the help.
Marcel