| 1 | Enabling DNSSEC validation with the root trust anchor in Unbound |
|---|
| 2 | ---------------------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
|---|
| 5 | would use resolv.grp1.ws.nsrc.org, as you did in the unbound config |
|---|
| 6 | exercise |
|---|
| 7 | |
|---|
| 8 | 1. Grab the root key |
|---|
| 9 | |
|---|
| 10 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 11 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
|---|
| 13 | the key when necessary. |
|---|
| 14 | |
|---|
| 15 | In this lab: |
|---|
| 16 | |
|---|
| 17 | # scp adm@a.root-servers.net:root.key /usr/local/etc/unbound/root.key |
|---|
| 18 | |
|---|
| 19 | Edit the /usr/local/etc/unbound/unbound.conf file: |
|---|
| 20 | |
|---|
| 21 | Find the "trust-anchor-file:" line, and change it from: |
|---|
| 22 | |
|---|
| 23 | # trust-anchor-file: "" |
|---|
| 24 | |
|---|
| 25 | to |
|---|
| 26 | |
|---|
| 27 | trust-anchor-file: "/usr/local/etc/unbound/root.key" |
|---|
| 28 | |
|---|
| 29 | 2. Reload the nameserver |
|---|
| 30 | |
|---|
| 31 | # service unbound restart |
|---|
| 32 | |
|---|
| 33 | 3. dig @localhost +dnssec mytld. SOA |
|---|
| 34 | |
|---|
| 35 | What do you notice ? |
|---|
