Agenda: dnssec-unbound-enable-validation.txt

File dnssec-unbound-enable-validation.txt, 1.3 KB (added by trac, 5 years ago)
Line 
1Enabling DNSSEC validation with the root trust anchor in Unbound
2----------------------------------------------------------------
3
4You need to log in to your resolver (cache) machine, i.e. for group 1, you
5would use resolv.grp1.dns.nsrc.org, as you did in the unbound config
6exercise
7
81. Grab the root key
9
10    NOTE: This is only for the purpose of this lab - on the Internet,
11    you would simply use "unbound-anchor" to download the real root.key,
12    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
13    the key when necessary.
14
15    In this lab, ask your instructor if we are using the "RZM" or not.
16
17        With RZM
18        --------
19
20
21        Go to https://rzm.dnssek.org/, and copy the trust-anchor
22    statement (the ENTIRE line) from this page and paste it into
23        a file, /usr/local/etc/unbound/root.key
24
25        Without RZM
26        -----------
27
28        Grab the key from the root server:
29
30    # scp sysadm@a.root-servers.net:root.key  /usr/local/etc/unbound/root.key
31
32    Edit the /usr/local/etc/unbound/unbound.conf file:
33
34    Find the "trust-anchor-file:" line, and change it from:
35
36    # trust-anchor-file: ""
37
38    to
39
40    trust-anchor-file: "/usr/local/etc/unbound/root.key"
41
422. Reload the nameserver
43
44    # service unbound restart
45
463. dig @localhost +dnssec mytld. SOA
47
48    What do you notice ?