[Unbound-users] Issue in DNSSEC
Cyril Benedict
cyrilbenedict at gmail.com
Fri May 20 17:50:41 UTC 2011
Hi All,
I am new to unbound DNS. I have installed unbound DNS in windows machine.
Normal queries were working fine without DNSSEC. But, when I tried to enable
DNSSEC and validate the queries, its not working. I expect the flag AD bit
to set in my response. Here below is my unbound.conf file,
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
verbosity: 1
statistics-interval: 30
num-threads: 1
interface: 0.0.0.0
# enable cumulative statistics, without clearing them after
printing.
statistics-cumulative: yes
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
extended-statistics: yes
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 16m
rrset-cache-size: 32m
msg-cache-slabs: 4
rrset-cache-slabs: 4
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
infra-cache-numhosts: 10000
infra-cache-lame-size: 10k
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 allow
access-control: 192.168.1.0/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
#access-control: 0.0.0.0/0 refuse
#chroot: "/etc/unbound"
#username: "unbound"
#directory: "/etc/unbound"
logfile: "C:\unbound.log"
#use-syslog: yes
#logfile: ""
#use-syslog: no
#pidfile: "/etc/unbound/unbound.pid"
root-hints: "C:\Program Files\Unbound\named.cache"
server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
val-log-level: 2
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
#trust-anchor-file: ""
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
identity: "DNS"
version: "1.4"
hide-identity: yes
hide-version: yes
harden-glue: no
do-not-query-address: 127.0.0.1/8
do-not-query-localhost: yes
module-config: "validator iterator"
-----------------------------------
When i ran the dig, I got the below output,
C:\dig>dig com. SOA +dnssec +multiline
; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com. IN SOA
;; ANSWER SECTION:
com. 878 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. (
1305905047 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
com. 878 IN TYPE46 \# 151 (
00060801000003844DDFC2174DD6772F8
F6903636F6D
00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1
34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38
24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4
E6059621CF5F23AA3922120B2DA8351C7B64E682632F
33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1
3EBBED00281030ECEB97A331ECC0802DF9D889 )
;; AUTHORITY SECTION:
com. 172778 IN NS a.gtld-servers.net.
com. 172778 IN NS c.gtld-servers.net.
com. 172778 IN NS j.gtld-servers.net.
com. 172778 IN NS m.gtld-servers.net.
com. 172778 IN NS l.gtld-servers.net.
com. 172778 IN NS d.gtld-servers.net.
com. 172778 IN NS b.gtld-servers.net.
com. 172778 IN NS e.gtld-servers.net.
com. 172778 IN NS f.gtld-servers.net.
com. 172778 IN NS k.gtld-servers.net.
com. 172778 IN NS i.gtld-servers.net.
com. 172778 IN NS g.gtld-servers.net.
com. 172778 IN NS h.gtld-servers.net.
com. 172778 IN TYPE46 \# 151 (
000208010002A3004DDB30F54DD1E6
0D8F6903636F6D
0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0
3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F
18D64BF478942AA5436AABF08D66342720D103B292A4
D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8
2BC6A27C67E280A1836FB869850194F851CF53A1D7EB
F238FA9705E052D80311D0C31AE491255BCBB3 )
;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 20 20:54:59 2011
;; MSG SIZE rcvd: 637
My root.key file is below after updating the file using unbound-anchor,
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011
;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011
;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 XXXXXXXXXXXXXXXXXX
Please advice me for any documentation which will help me to resolve the
issue. It will be greatful, if someone point out the problem. Thanks in
advance.
Thanks,
Cyril.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20110520/0a3e7c16/attachment.htm>
More information about the Unbound-users
mailing list