Now that the root DNS servers are signed, I thought it was time I started using DNSSEC on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using Unbound.

Installing Unbound

Being already packaged in Debian and Ubuntu, unbound is only an apt-get away:

apt-get install unbound

though if you are running lenny, I suggest you grab the latest backport.

Once unbound is installed, follow these instructions to enable DNSSEC.

Optional settings

In my /etc/unbound/unbound.conf, I enabled the following security options:

harden-referral-path: yes  
use-caps-for-id: yes

and turned on prefetching to hopefully keep in cache the sites I visit regularly:

prefetch: yes  
prefetch-key: yes

Finally, I also enabled statistics:

extended-statistics: yes  
control-enable: yes  
control-interface: 127.0.0.1

and ran sudo unbound-control-setup to generate the necessary keys.

Once unbound is restarted (sudo /etc/init.d/unbound restart) stats can be queried to make sure that the DNS resolver is working:

unbound-control stats

Overriding DHCP settings

In order to use my own unbound server for DNS lookups and not the one received via DHCP, I added this line to /etc/dhcp/dhclient.conf:

supersede domain-name-servers 127.0.0.1;

and restarted dhclient:

sudo killall dhclient  
sudo killall dhclient  
sudo /etc/init.d/network-manager restart

If you're not using DHCP, then you simply need to put this in your /etc/resolv.conf:

nameserver 127.0.0.1

Testing DNSSEC resolution

Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:

and using dig:

$ dig +dnssec A www.dnssec.cz | grep ad  
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

Are there any other ways of making sure that DNSSEC is fully functional?

First, Thank You for posting this. There is one more thing that needs to be done.

After following: http://www.unbound.net/documentation/howto_anchor.html

I was getting this error in /var/log/daemon.log:

error: Could not open autotrust file for writing, /etc/unbound/root.key: Permission denied

I changed the group to unbound and made it writable.

# cd /etc/unbound
# chgrp unbound root.key
# chmod g+w root.key
# ls -la root.key
-rw-rw-r-- 1 root unbound 758 Sep 21 16:46 root.key

After restarting unbound, no more errors. The root.key should look like the following:

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1285101992 ;;Tue Sep 21 16:46:32 2010
;;last_success: 1285101992 ;;Tue Sep 21 16:46:32 2010
;;next_probe_time: 1285141647 ;;Wed Sep 22 03:47:27 2010
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 86400 IN DNSKEY 257 3 8 AwEAAagAI......

Again Thank You, for this post.

Comment by Anonymous

"Are there any other ways of making sure that DNSSEC is fully functional?"

The following will give some info on dnssec. Install unbound-host, then try the following:

$ unbound-host rhybar.cz -f /etc/unbound/root.key -v

Output:
rhybar.cz has no address (BOGUS (security failure))
validation failure : no keys have a DS with algorithm RSASHA1 from 194.0.12.1 for key rhybar.cz. while building chain of trust

Or:
$ unbound-host rhybar.cz -C /etc/unbound/unbound.conf -v

Also:

$ unbound-host dnssec.cz -C /etc/unbound/unbound.conf -v

Output:
dnssec.cz has address 217.31.205.50 (secure)
dnssec.cz has IPv6 address 2001:1488:0:3::2 (secure)
dnssec.cz mail is handled by 10 mail.nic.cz. (secure)
dnssec.cz mail is handled by 15 mail4.nic.cz. (secure)
dnssec.cz mail is handled by 20 mx.cznic.org. (secure)

Or:

$ unbound-host dnssec.cz -f /etc/unbound/root.key -v

Comment by Anonymous