Configuring Unbound

1. Log in using SSH/Putty/... to your CACHE machine:

	(i.e. for group 1, you would use cache.grp1.ws.nsrc.org)

    $ ssh -l adm cache.grpXX.ws.nsrc.org

2. On CACHE:

    # cd /usr/local/etc/unbound/
    # cp unbound.conf.sample unbound.conf

    Now edit the file unbound.conf, and make the following changes:

    a) enable listening - find the lines with:

        # interface: ...
        # interface: ...

    and just under, add this line:

        interface: 0.0.0.0

    b) access control - find the lines with:

        # access-control: ...
        # access-control: ...

    and just under, add this line:

        access-control: 10.10.0.0/16 allow

    c) chroot security - find the line
    
        # chroot: "/usr/local/etc/unbound"

    and just under, add this line:

        chroot: ""

    d) set the root-hints file - find the line with:

        # root-hints: ""

    and just under, add this line:

        root-hints: "/usr/local/etc/unbound/named.root"

		... and download a copy like this:

		# cd /usr/local/etc/unbound/
        # fetch http://10.10.0.245/named.root

    e) re-enable the 10.in-addr.arpa zone - find the line with:

        # local-data-ptr: "192.0.2.3 www.example.com"

    and just under, add this line:

        local-zone: "10.in-addr.arpa." nodefault

    f) enable remote control - find the line with:

        # control-enable: no

    and CHANGE it (by removing # in front) to:

        control-enable: yes

    - find the line with:

        # control-interface: 127.0.0.1

    and CHANGE it to:

        control-interface: 0.0.0.0

    - find the line with:

        # control-port: 953

    and CHANGE it to:

        control-port: 953
        
    - finally, uncomment the following lines:

        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
    becomes
        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
 
        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
    becomes
        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
 
        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
    becomes
        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
 
        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
    becomes
        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"


    Save the file, exit.

3. Create the control keys:

    # unbound-control-setup

4.  Test the configuration:

    # unbound-checkconf

5. edit /etc/rc.conf and add:

    unbound_enable="YES"

6. start unbound!

    # /usr/local/etc/rc.d/unbound start 

7. Change your /etc/resolv.conf to use your newly configured Unbound,
   on this machine (CACHE), but on MASTER as well:

    # vi /etc/resolv.conf

    Change the nameserver line to:

        nameserver 10.10.XX.2

    ... where XX is the number of your group

8. Test

    # dig 
    # dig noc.ws.nsrc.org
    # dig MYTLD. NS

	Make sure you see SERVER: ...(10.10.XX.2) at the bottom of
	dig's output.

    # dig version.bind txt chaos

    What does the output say ?