No 'ad' bit from a stub zone
Xavier Belanger
nlnetlabs at belanger.fr
Sat Mar 21 15:00:44 UTC 2020
Hi,
Unbound 1.10.0 runs on my home server and it is configured
with a stub zone:
-- unbound.conf --
stub-zone:
name: "home.arpa"
stub-addr: ::1 at 53
------------------
That stub zone is managed by a ISC BIND server running
on the same host, using inline-signing:
-- named.conf --
zone "home.arpa" IN {
type master;
file "home.arpa/zone.home.arpa";
# DNSSEC keys
key-directory "/srv/named/keys";
# automate DNSSEC
auto-dnssec maintain;
inline-signing yes;
};
----------------
When I use dig to check a DNSSEC record in that zone,
I do not obtain the 'ad' bit.
>From the 'unbound' manual page I can read that my configuration
is probably incomplete:
> This setup allows DNSSEC signed zones to be served by that
> authoritative server, in which case a trusted key entry with
> the public key can be put in config, so that unbound can
> validate the data and set the AD bit on replies for
> the private zone
Here are my questions:
- Does that kind of setup would work with BIND inline-signing?
If not I can switch to some kind of manual signing.
- How can I add the zone public key in the configuration
to restore the trust chain?
Thanks for your help.
Sincerely.
--
Xavier Belanger
More information about the Unbound-users
mailing list