Agenda: dnssec-unbound-enable-validation.txt

File dnssec-unbound-enable-validation.txt, 1.0 KB (added by admin, 6 years ago)
Line 
1Enabling DNSSEC validation with the root trust anchor in Unbound
2----------------------------------------------------------------
3
4You need to log in to your resolver (cache) machine, i.e. for group 1, you
5would use resolv.grp1.ws.nsrc.org, as you did in the unbound config
6exercise
7
81. Grab the root key
9
10    NOTE: This is only for the purpose of this lab - on the Internet,
11    you would simply use "unbound-anchor" to download the real root.key,
12    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
13    the key when necessary.
14
15    In this lab:
16
17    Go to https://rzm.dnssek.org/, and copy the trust-anchor
18        statement (the ENTIRE line) from this page and paste it into
19        your Unbound configuration file (/usr/local/etc/unbound/unbound.conf)
20
21    Find the "trust-anchor-file:" line, and change it from:
22
23    # trust-anchor:
24
25    to
26
27    trust-anchor: ". DNSKEY 257 3 8 Aw.... (the whole line)"
28
292. Reload the nameserver
30
31    # service unbound restart
32
333. dig @localhost +dnssec mytld. SOA
34
35    What do you notice ?