[Unbound-users] What is needed for dnssec?

Ondřej Surý ondrej at sury.org
Tue Feb 14 15:03:03 UTC 2012

On Tue, Feb 14, 2012 at 10:03, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 02/14/2012 12:46 AM, Marcel van Beurden wrote:
>> Hi all,
>> I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
>> my local hostnames, provide me with DNSSEC and IPv6 support.
>> My 1st question is a general DNSSEC question. What do I need to have on my
>> desktop pc to have Firefox with the DNSSEC Validator addon to validate
>> DNSSEC-enabled websites? I have installed Unbound on my server (Debian
>> 6.0)
> That depends on how the firefox plugin works. It may DNSSEC itself, and
> merely require a DNSSEC-aware upstream resolver.

> Or it may require the
> upstream resolver to do DNSSEC and set the "ad" flag.

This one, but we are thinking to move it closer to application and do
validation inside DNSSEC Validator.

>> and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
>> does not seem to work. So I also installed Unbound on my desktop, and then
>> it seems to work. Is this how it's supposed to work?
> Care to be more specific about what "does not seem to work" means?
> With unbound on your server, you should be able to do:
> dig +dnssec @server <signed name>
> ...and get back a response with the "ad" flag set e.g.
> $ dig +dnssec org ns
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
>                   ^^ AD flag set

Ondřej Surý <ondrej at sury.org>

More information about the Unbound-users mailing list