| 1 | Enabling DNSSEC validation with the root trust anchor in Unbound |
|---|
| 2 | ---------------------------------------------------------------- |
|---|
| 3 | |
|---|
| 4 | You need to log in to your resolver (cache) machine, i.e. for group 1, you |
|---|
| 5 | would use resolv.grp1.ws.nsrc.org, as you did in the unbound config |
|---|
| 6 | exercise |
|---|
| 7 | |
|---|
| 8 | 1. Grab the root key |
|---|
| 9 | |
|---|
| 10 | NOTE: This is only for the purpose of this lab - on the Internet, |
|---|
| 11 | you would simply use "unbound-anchor" to download the real root.key, |
|---|
| 12 | and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update |
|---|
| 13 | the key when necessary. |
|---|
| 14 | |
|---|
| 15 | In this lab: |
|---|
| 16 | |
|---|
| 17 | Go to https://rzm.dnssek.org/, and copy the trust-anchor |
|---|
| 18 | statement (the ENTIRE line) from this page and paste it into |
|---|
| 19 | your Unbound configuration file (/usr/local/etc/unbound/unbound.conf) |
|---|
| 20 | |
|---|
| 21 | Find the "trust-anchor-file:" line, and change it from: |
|---|
| 22 | |
|---|
| 23 | # trust-anchor: |
|---|
| 24 | |
|---|
| 25 | to |
|---|
| 26 | |
|---|
| 27 | trust-anchor: ". DNSKEY 257 3 8 Aw.... (the whole line)" |
|---|
| 28 | |
|---|
| 29 | 2. Reload the nameserver |
|---|
| 30 | |
|---|
| 31 | # service unbound restart |
|---|
| 32 | |
|---|
| 33 | 3. dig @localhost +dnssec mytld. SOA |
|---|
| 34 | |
|---|
| 35 | What do you notice ? |
|---|
