[Dnssec-trigger] dnssec-trigger and local-zone

Tomas Hozza thozza at redhat.com
Wed Oct 15 15:10:37 UTC 2014


----- Original Message -----
> Hi,
> >> I am currently experimenting wit the DNS setup in our local
> >> hackerspace. Our router does not support DNSSEC as cache, so I set
> >> up an unbound on a server in our space, and configured DHCP
> >> appropriately. dnssec-trigger detects that our local cache supports
> >> DNSSEC. That's generally working fine.
> > 
> >> However, we do have a "local-zone" configured to manage the names
> >> of machines in the space. And when I run dnssec-trigger on my
> >> machine, these names fail to resolve with a SERVFAIL. I assume
> >> that's because our local TLD is not properly signed by the root
> >> zone - and in fact, how could it be. Is there a way to set up local
> >> zones in a way that still works with DNSSEC-validating resolvers? I
> >> tried using the ".local" TLD, but that doesn't seem to work
> >> either.
> > 
> > You need a trust anchor for your local zone.  Because it is not DNSSEC
> > signed this trust anchor is a negative trust anchor, disabling DNSSEC
> > for this domain.  domain-insecure: "local-zone" in unbound.conf (you
> > can include config files from unbound.conf if you want to separate
> > management for it, include: "other.conf").
> That would be configuration in the unbound running on my local machine,
> right? That doesn't really help, unfortunately - I can't ask everybody
> who's using dnssec-trigger to manually configure their machine.
> I was hoping that there would be a TLD that had a non-trusted delegation
> from the root, or similar, such that one can easily create "fake"
> answers below that TLD. If nothing like that exists, I will have to use
> a subdomain of our domain, and manually create a non-trusted delegation.

I think setting an "insecure" forward zone for your hacker-space domain
to the local DNS server (unbound) could help.

You could set up your local DHCP server to propagate that domain as a search
domain. Then the dnssec-trigger dispatcher script should set up the forward
zone automatically on the client. I'm not sure which version of the trigger
you're running, but if it is the latest, just adjust the /etc/dnssec.conf,
set up the search domain in your DHCP server and it should work.

Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc.                               http://cz.redhat.com

More information about the dnssec-trigger mailing list