No 'ad' bit from a stub zone

Xavier Belanger nlnetlabs at
Sat Mar 21 15:00:44 UTC 2020


Unbound 1.10.0 runs on my home server and it is configured
with a stub zone:

-- unbound.conf --
        name: ""
        stub-addr: ::1 at 53

That stub zone is managed by a ISC BIND server running
on the same host, using inline-signing:

-- named.conf --
zone "" IN {
        type master;
        file "";

        # DNSSEC keys
        key-directory "/srv/named/keys";

        # automate DNSSEC
        auto-dnssec maintain;
        inline-signing yes;

When I use dig to check a DNSSEC record in that zone,
I do not obtain the 'ad' bit.

>From the 'unbound' manual page I can read that my configuration
is probably incomplete:

> This setup allows DNSSEC signed zones to be served by that
> authoritative server, in which case a trusted key entry with
> the public key can be put in config, so that unbound can
> validate the data and set the AD bit on replies for
> the private zone

Here are my questions:

 - Does that kind of setup would work with BIND inline-signing?
If not I can switch to some kind of manual signing.

 - How can I add the zone public key in the configuration
to restore the trust chain?

Thanks for your help.

Xavier Belanger

More information about the Unbound-users mailing list