Skip to end of metadata
Go to start of metadata

Symptom:

Now (as of 15. July 2010)  the root DNS zone is DNSSEC signed.  

Problem:

How to configure an unbound resolving DNS Server to make use of DNSSEC information and validate DNS queries? 

Solution

below are some quick instructions. A full documentation can be found at
http://unbound.net/documentation/howto_anchor.html

Requirements:
  • Unbound 1.4.0 or better (compiled with RSASHA256 support)
  • the DNS Root Trust Anchor
In your unbound configuration, add the following line:
# trust anchor for the root zone
trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" 
and restart the unbound DNS Server. In your logfiles you should now see DNSSEC validation.
[1279261948] unbound[12418:0] info: resolving <. NS IN>
[1279261948] unbound[12418:0] info: validate(positive): sec_status_secure
[1279261948] unbound[12418:0] info: validation success <. NS IN> 
If you want to see DNSSEC validation at work, install the Firefox DNSSEC Add-On http://www.dnssec-validator.cz/ and then go to www.root-dnssec.org or www.ripe.net, and you should see a nice green key icon in the URL bar telling you that this DNS information was DNSSEC validated.