Symptom:Now (as of 15. July 2010) the root DNS zone is DNSSEC signed.
Problem:How to configure an unbound resolving DNS Server to make use of DNSSEC information and validate DNS queries?
Solutionbelow are some quick instructions. A full documentation can be found at
- Unbound 1.4.0 or better (compiled with RSASHA256 support)
- the DNS Root Trust Anchor
# trust anchor for the root zone trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"and restart the unbound DNS Server. In your logfiles you should now see DNSSEC validation.
 unbound[12418:0] info: resolving <. NS IN>  unbound[12418:0] info: validate(positive): sec_status_secure  unbound[12418:0] info: validation success <. NS IN>If you want to see DNSSEC validation at work, install the Firefox DNSSEC Add-On http://www.dnssec-validator.cz/ and then go to www.root-dnssec.org or www.ripe.net, and you should see a nice green key icon in the URL bar telling you that this DNS information was DNSSEC validated.