Now that the root DNS servers are signed, I thought it was time I started using DNSSEC on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using Unbound.
apt-get install unbound
Once unbound is installed, follow these instructions to enable DNSSEC.
/etc/unbound/unbound.conf, I enabled the following security options:
harden-referral-path: yes use-caps-for-id: yes
and turned on prefetching to hopefully keep in cache the sites I visit regularly:
prefetch: yes prefetch-key: yes
Finally, I also enabled statistics:
extended-statistics: yes control-enable: yes control-interface: 127.0.0.1
sudo unbound-control-setup to generate the necessary keys.
Once unbound is restarted (
sudo /etc/init.d/unbound restart) stats can be queried to make sure that the DNS resolver is working:
Overriding DHCP settings
In order to use my own unbound server for DNS lookups and not the one received via DHCP, I added this line to
supersede domain-name-servers 127.0.0.1;
and restarted dhclient:
sudo killall dhclient sudo killall dhclient sudo /etc/init.d/network-manager restart
If you're not using DHCP, then you simply need to put this in your
Testing DNSSEC resolution
Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:
and using dig:
$ dig +dnssec A www.dnssec.cz | grep ad ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
Are there any other ways of making sure that DNSSEC is fully functional?