<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Cyril,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It looks like your version of dig is very old. The TYPE46 RR is actually an RRSIG. Since dig doesn’t recognize that, it may not recognize the AD flag either.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jan.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> unbound-users-bounces@NLnetLabs.nl [mailto:unbound-users-bounces@NLnetLabs.nl] <b>On Behalf Of </b>Cyril Benedict<br><b>Sent:</b> Friday, May 20, 2011 1:51 PM<br><b>To:</b> unbound-users<br><b>Subject:</b> [Unbound-users] Issue in DNSSEC<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi All,<br><br>I am new to unbound DNS. I have installed unbound DNS in windows machine. Normal queries were working fine without DNSSEC. But, when I tried to enable DNSSEC and validate the queries, its not working. I expect the flag AD bit to set in my response. Here below is my unbound.conf file,<br><br># Unbound configuration file on windows.<br># See example.conf for more settings and syntax<br>server: <br> verbosity: 1<br> statistics-interval: 30<br> num-threads: 1<br> interface: 0.0.0.0<br> <br> # enable cumulative statistics, without clearing them after printing.<br> statistics-cumulative: yes<br> <br> # enable extended statistics (query types, answer codes, status)<br> # printed from unbound-control. default off, because of speed.<br> extended-statistics: yes<br><br> outgoing-range: 512<br> num-queries-per-thread: 1024<br><br> msg-cache-size: 16m<br> rrset-cache-size: 32m<br><br> msg-cache-slabs: 4<br> rrset-cache-slabs: 4<br><br> cache-max-ttl: 86400<br> infra-host-ttl: 60<br> infra-lame-ttl: 120<br><br> infra-cache-numhosts: 10000<br> infra-cache-lame-size: 10k<br> <br> do-ip4: yes<br> do-ip6: no<br> do-udp: yes<br> do-tcp: yes<br> do-daemonize: yes<br> <br> access-control: <a href="http://0.0.0.0/0">0.0.0.0/0</a> allow<br> access-control: <a href="http://192.168.1.0/24">192.168.1.0/24</a> allow<br> access-control: <a href="http://172.16.0.0/12">172.16.0.0/12</a> allow<br> access-control: <a href="http://10.0.0.0/8">10.0.0.0/8</a> allow<br> access-control: <a href="http://127.0.0.0/8">127.0.0.0/8</a> allow<br> #access-control: <a href="http://0.0.0.0/0">0.0.0.0/0</a> refuse<br><br> #chroot: "/etc/unbound"<br> #username: "unbound"<br> #directory: "/etc/unbound"<br> logfile: "C:\unbound.log"<br> #use-syslog: yes<br> #logfile: ""<br> #use-syslog: no<br> #pidfile: "/etc/unbound/unbound.pid"<br> root-hints: "C:\Program Files\Unbound\named.cache"<br> server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"<br> server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"<br> val-log-level: 2<br> <br> # File with trusted keys for validation. Specify more than one file<br> # with several entries, one file per entry.<br> # Zone file format, with DS and DNSKEY entries.<br> # Note this gets out of date, use auto-trust-anchor-file please.<br> #trust-anchor-file: ""<br> <br> # Harden against receiving dnssec-stripped data. If you turn it<br> # off, failing to validate dnskey data for a trustanchor will<br> # trigger insecure mode for that zone (like without a trustanchor).<br> # Default on, which insists on dnssec data for trust-anchored zones.<br> harden-dnssec-stripped: yes<br><br> identity: "DNS"<br> version: "1.4"<br> hide-identity: yes<br> hide-version: yes<br> harden-glue: no<br> do-not-query-address: <a href="http://127.0.0.1/8">127.0.0.1/8</a><br> do-not-query-localhost: yes<br> module-config: "validator iterator" <br><br>-----------------------------------<br><br>When i ran the dig, I got the below output,<br><br>C:\dig>dig com. SOA +dnssec +multiline<br><br>; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline<br>;; global options: printcmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>;; QUESTION SECTION:<br>;com. IN SOA<br><br>;; ANSWER SECTION:<br>com. 878 IN SOA <a href="http://a.gtld-servers.net">a.gtld-servers.net</a>. <a href="http://nstld.verisign-grs.com">nstld.verisign-grs.com</a>. (<br><br> 1305905047 ; serial<br> 1800 ; refresh (30 minutes)<br> 900 ; retry (15 minutes)<br> 604800 ; expire (1 week)<br> 86400 ; minimum (1 day)<br> )<br>com. 878 IN TYPE46 \# 151 ( 00060801000003844DDFC2174DD6772F8<br>F6903636F6D<br> 00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1<br> 34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38<br> 24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4<br> E6059621CF5F23AA3922120B2DA8351C7B64E682632F<br> 33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1<br> 3EBBED00281030ECEB97A331ECC0802DF9D889 )<br><br>;; AUTHORITY SECTION:<br>com. 172778 IN NS <a href="http://a.gtld-servers.net">a.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://c.gtld-servers.net">c.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://j.gtld-servers.net">j.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://m.gtld-servers.net">m.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://l.gtld-servers.net">l.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://d.gtld-servers.net">d.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://b.gtld-servers.net">b.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://e.gtld-servers.net">e.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://f.gtld-servers.net">f.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://k.gtld-servers.net">k.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://i.gtld-servers.net">i.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://g.gtld-servers.net">g.gtld-servers.net</a>.<br>com. 172778 IN NS <a href="http://h.gtld-servers.net">h.gtld-servers.net</a>.<br>com. 172778 IN TYPE46 \# 151 ( 000208010002A3004DDB30F54DD1E6<br>0D8F6903636F6D<br> 0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0<br> 3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F<br> 18D64BF478942AA5436AABF08D66342720D103B292A4<br> D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8<br> 2BC6A27C67E280A1836FB869850194F851CF53A1D7EB<br> F238FA9705E052D80311D0C31AE491255BCBB3 )<br><br>;; Query time: 15 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Fri May 20 20:54:59 2011<br>;; MSG SIZE rcvd: 637<br><br>My root.key file is below after updating the file using unbound-anchor,<br><br>; autotrust trust anchor file<br>;;id: . 1<br>;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011<br>;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011<br>;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011<br>;;query_failed: 0<br>;;query_interval: 43200<br>;;retry_time: 8640<br>. 172800 IN DNSKEY 257 3 8 XXXXXXXXXXXXXXXXXX<br><br><br>Please advice me for any documentation which will help me to resolve the issue. It will be greatful, if someone point out the problem. Thanks in advance. <br><br>Thanks,<br>Cyril.<o:p></o:p></p></div></div></body></html>