Skip to end of metadata
Go to start of metadata

Symptom:

Below is a step-by-step walk-through of an Unbound installation using the Men & Mice compiled RPM packages from http://support.menandmice.com/download/unbound/

This walk-through has been tested with RedHat EL/CentOS 6.5, ldns 1.16 and Unbound 1.4.21 in January 2014. 

If you find errors or a regression of this tutorial, please let us know at support@menandmice.com.

Problem:

This walk-through is based on a vanilla RedHat / CentOS 6.x installation.

Solution

  1. Install libevent from the RedHat/CentOS repositories
    [root@localhost ~]# yum install libevent
    Resolving Dependencies
    --> Running transaction check
    ---> Package libevent.i686 0:1.4.13-4.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package            Arch           Version                 Repository      Size
    ================================================================================
    Installing:
     libevent           i686           1.4.13-4.el6            base            67 k
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 67 k
    Installed size: 226 k
    Is this ok [y/N]: y
    Downloading Packages:
    
    libevent-1.4.13-4.el6.i686.rpm                           |  67 kB     00:00     
    warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
    
    
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    Importing GPG key 0xC105B9DE:
     Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
     Package: centos-release-6-5.el6.centos.11.1.i686 (@anaconda-CentOS-201311271240.i386/6.5)
     From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    Is this ok [y/N]: y
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    
      Verifying  : libevent-1.4.13-4.el6.i686                                   1/1
    
    Installed:
      libevent.i686 0:1.4.13-4.el6                                                  
    
    Complete!
  2. Install ldns using the Men & Mice packages
    
    curl -O http://support.menandmice.com/download/ldns/linux/redhat/6/i386/1.6.16/NLNETLABSLDNS-1.6.16-RHLi686.rpm
    [root@localhost ~]# yum install NLNETLABSLDNS-1.6.16-RHLi686.rpm
    Failed to set locale, defaulting to C
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.netcologne.de
     * extras: mirror.netcologne.de
     * updates: mirror.netcologne.de
    Setting up Install Process
    Examining NLNETLABSLDNS-1.6.16-RHLi686.rpm: ldns-1616RHL-1.el6.i686
    Marking NLNETLABSLDNS-1.6.16-RHLi686.rpm to be installed
    Resolving Dependencies
    --> Running transaction check
    ---> Package ldns.i686 0:1616RHL-1.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package  Arch     Version              Repository                         Size
    ================================================================================
    Installing:
     ldns    i686     1616RHL-1.el6        /NLNETLABSLDNS-1.6.16-RHLi686     3.5 M
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total size: 3.5 M
    Installed size: 3.5 M
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    
    
      Verifying  : ldns-1616RHL-1.el6.i686                                      1/1
    
    Installed:
      ldns.i686 0:1616RHL-1.el6                                                     
    
    Complete!
  3. add the library path to the dynamic linker

    the ldns and unbound libraries are located in /usr/local/lib. This directory needs to be registered with the Linux dynamic linker:

    [root@localhost ~]# echo "/usr/local/lib" > /etc/ld.so.conf.d/unbound.conf
    [root@localhost ~]# ldconfig
  4. test ldns using the drill command

    at this point, the drill command should be usable to send DNS queries:
    
    [root@localhost ~]# drill
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 36794
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;; .    IN    NS
    
    ;; ANSWER SECTION:
    .    518400    IN    NS    a.root-servers.net.
    .    518400    IN    NS    l.root-servers.net.
    .    518400    IN    NS    h.root-servers.net.
    .    518400    IN    NS    j.root-servers.net.
    .    518400    IN    NS    d.root-servers.net.
    .    518400    IN    NS    b.root-servers.net.
    .    518400    IN    NS    f.root-servers.net.
    .    518400    IN    NS    g.root-servers.net.
    .    518400    IN    NS    i.root-servers.net.
    .    518400    IN    NS    k.root-servers.net.
    .    518400    IN    NS    e.root-servers.net.
    .    518400    IN    NS    m.root-servers.net.
    .    518400    IN    NS    c.root-servers.net.
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    a.root-servers.net.    589704    IN    A    198.41.0.4
    a.root-servers.net.    589704    IN    AAAA    2001:503:ba3e::2:30
    
    ;; Query time: 41 msec
    ;; SERVER: 192.168.1.6
    ;; WHEN: Thu Jan  9 15:15:54 2014
    ;; MSG SIZE  rcvd: 272
  5. Download and install Unbound
    [root@localhost ~]# curl -O http://support.menandmice.com/download/unbound/linux/redhat/6/i686/1.4.21/NLNETLABSUNBOUND-1.4.21-RHLi686.rpm
    
    [root@localhost ~]# yum install NLNETLABSUNBOUND-1.4.21-RHLi686.rpm
    Failed to set locale, defaulting to C
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.netcologne.de
     * extras: mirror.netcologne.de
     * updates: mirror.netcologne.de
    Setting up Install Process
    Examining NLNETLABSUNBOUND-1.4.21-RHLi686.rpm: unbound-1421RHL-1.el6.i686
    Marking NLNETLABSUNBOUND-1.4.21-RHLi686.rpm to be installed
    Resolving Dependencies
    --> Running transaction check
    ---> Package unbound.i686 0:1421RHL-1.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package    Arch    Version           Repository                           Size
    ================================================================================
    Installing:
     unbound    i686    1421RHL-1.el6     /NLNETLABSUNBOUND-1.4.21-RHLi686    9.8 M
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total size: 9.8 M
    Installed size: 9.8 M
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    
    
      Verifying  : unbound-1421RHL-1.el6.i686                                   1/1
    
    Installed:
      unbound.i686 0:1421RHL-1.el6                                                  
    
    Complete!
    [root@localhost ~]# ldconfig
    Don't forget the ldconfig to refresh the dynamic linker
     
  6. create a system user for the unbound process
    [root@localhost ~]# adduser -r unbound
  7. create the certificates for unbound-control
    [root@localhost ~]# unbound-control-setup
    setup in directory /usr/local/etc/unbound
    generating unbound_server.key
    Generating RSA private key, 1536 bit long modulus
    ...............................++++
    .....++++
    e is 65537 (0x10001)
    generating unbound_control.key
    Generating RSA private key, 1536 bit long modulus
    ....++++
    .........................................................................................................................................++++
    e is 65537 (0x10001)
    create unbound_server.pem (self signed certificate)
    create unbound_control.pem (signed client certificate)
    Signature ok
    subject=/CN=unbound-control
    Getting CA Private Key
    Setup success. Certificates created. Enable in unbound.conf file to use
    
  8. enable unbound-control in the unbound configuration file
    [root@localhost ~]# vi /usr/local/etc/unbound/unbound.conf
    
    [... lines obmitted here ...]
    remote-control:
            # Enable remote control with unbound-control(8) here.
            # set up the keys and certificates with unbound-control-setup.
            control-enable: yes
  9. Fetch the root-zone trust anchor for DNSSEC validation
    [root@localhost ~]# unbound-anchor
  10. create an upstart job for unbound

    we use Upstart in RedHat EL, as it will monitor and restart the unbound process if it terminates unexpected
    [root@localhost ~]# vi /etc/init/unbound.conf
    start on runlevel [3]
    expect fork
    respawn
    exec unbound
    
    
    [root@localhost ~]# initctl reload-configuration
    [root@localhost ~]# initctl start unbound
    unbound start/running, process 1301
    [root@localhost ~]# initctl status unbound
    unbound start/running, process 1301
    [root@localhost ~]# unbound-control status
    version: 1.4.21
    verbosity: 1
    threads: 1
    modules: 2 [ validator iterator ]
    uptime: 18 seconds
    unbound (pid 1301) is running...
  11. install dig from the bind-utils to test DNSSEC validation
    [root@localhost ~]# yum install bind-utils
    Failed to set locale, defaulting to C
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.netcologne.de
     * extras: mirror.netcologne.de
     * updates: mirror.netcologne.de
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package bind-utils.i686 32:9.8.2-0.17.rc1.el6_4.6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package          Arch       Version                           Repository  Size
    ================================================================================
    Installing:
     bind-utils       i686       32:9.8.2-0.17.rc1.el6_4.6         base       181 k
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 181 k
    Installed size: 430 k
    Is this ok [y/N]: y
    Downloading Packages:
    
    bind-utils-9.8.2-0.17.rc1.el6_4.6.i686.rpm               | 181 kB     00:00     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    
    
      Verifying  : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.i686                    1/1
    
    Installed:
      bind-utils.i686 32:9.8.2-0.17.rc1.el6_4.6                                     
    
    Complete!
  12. test DNSSEC validation and DNS name resolution using the local unbound caching server
    
    [root@localhost ~]# dig @localhost nlnetlabs.nl soa
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @localhost nlnetlabs.nl soa
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57874
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
    
    ;; QUESTION SECTION:
    ;nlnetlabs.nl.            IN    SOA
    
    ;; ANSWER SECTION:
    nlnetlabs.nl.        10200    IN    SOA    open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2014010100 28800 7200 604800 3600
    
    ;; AUTHORITY SECTION:
    nlnetlabs.nl.        10200    IN    NS    open.nlnetlabs.nl.
    nlnetlabs.nl.        10200    IN    NS    mcvax.nlnet.nl.
    nlnetlabs.nl.        10200    IN    NS    ns-ext1.sidn.nl.
    
    ;; ADDITIONAL SECTION:
    open.nlnetlabs.nl.    10200    IN    A    213.154.224.1
    open.nlnetlabs.nl.    10200    IN    AAAA    2001:7b8:206:1::1
    open.nlnetlabs.nl.    10200    IN    AAAA    2001:7b8:206:1::53
    
    ;; Query time: 200 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Thu Jan  9 16:23:30 2014
    ;; MSG SIZE  rcvd: 221
    
    [root@localhost ~]# dig @localhost nlnetlabs.nl soa +dnssec
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @localhost nlnetlabs.nl soa +dnssec
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12354
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;nlnetlabs.nl.            IN    SOA
    
    ;; ANSWER SECTION:
    nlnetlabs.nl.        10196    IN    SOA    open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2014010100 28800 7200 604800 3600
    nlnetlabs.nl.        10196    IN    RRSIG    SOA 8 2 10200 20140129015004 20140101015004 42393 nlnetlabs.nl. h3sK32puJD6e6WgZ3MpqjP+Jg33PoZH2TZOmxqszeTASuBVTx94PpfU5 TXc7xpL3rIsX68hzpp7ZfCDJrM32aLR5rBlHtJdouYpUf1y9HuP8Y5gi 1sDrm/zWko414I80nyldNlRqgSQOeUc/tAnL5qnqGN19pgcNFwOAk4DS a8o=
    
    ;; AUTHORITY SECTION:
    nlnetlabs.nl.        10196    IN    NS    open.nlnetlabs.nl.
    nlnetlabs.nl.        10196    IN    NS    mcvax.nlnet.nl.
    nlnetlabs.nl.        10196    IN    NS    ns-ext1.sidn.nl.
    nlnetlabs.nl.        10196    IN    RRSIG    NS 8 2 10200 20140129015004 20140101015004 42393 nlnetlabs.nl. yyuOOKrcvrR+MdG3+zzOT5s/Km8HD5ulZTgACrIdh/AiLOFxBLCv2z02 3XDeelMsWm8bGBbL9ErK53MwcecxuYy0f3vl5kSutBpUWeSTDPCox+cI Nxh9MrktNVCNQ9dU/XcRIOAZyMAhNfhcUBnOXnBRs3yExJHfepQrYa1S +xI=
    
    ;; ADDITIONAL SECTION:
    open.nlnetlabs.nl.    10196    IN    A    213.154.224.1
    open.nlnetlabs.nl.    10196    IN    AAAA    2001:7b8:206:1::1
    open.nlnetlabs.nl.    10196    IN    AAAA    2001:7b8:206:1::53
    open.nlnetlabs.nl.    10196    IN    RRSIG    A 8 3 10200 20140129015005 20140101015005 42393 nlnetlabs.nl. hWswb9SnpOz7pqoLLFqQUj7NWA9QIE3zJp3Lyw6G77fsxx+MX6z3uqBq ca21rGQV9EXRd1PxrAo7aUxh4PKbFRTrZR6un8IYL/x6jMb32IjiUpTG gIQD45QHy/xj+eWk3Swej3YBE5dhLnvVickviey6GN9fMS7VceTEwYHd 3Y4=
    open.nlnetlabs.nl.    10196    IN    RRSIG    AAAA 8 3 10200 20140129015006 20140101015006 42393 nlnetlabs.nl. D4U8HZP9V72XNL+nbyVbIjMFyG1iD0n6W74DW1dhRLtlQG0lOD/jlbHv muhz06qOU2j27bKejvSse0Jdp+1HToJbNq1Chw/NtiWTiUvduDmTyqWM 1ClQGRZBXuxWXm+eT2Mnn2JSi67jzt5bj87tKHSVzD+hcOAPS/P5G8z3 /s0=
    
    ;; Query time: 5 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Thu Jan  9 16:23:34 2014
    ;; MSG SIZE  rcvd: 920
  13. the installation is complete.

    Adjust the unbound configuration according to you requirements.