Now that the root DNS servers are signed, I thought it was time I started using DNSSEC on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using Unbound.
Installing Unbound
Being already packaged in Debian and Ubuntu, unbound is only an apt-get away:
apt-get install unbound
though if you are running lenny, I suggest you grab the latest backport.
Once unbound is installed, follow these instructions to enable DNSSEC.
Optional settings
In my /etc/unbound/unbound.conf, I enabled the following security options:
harden-referral-path: yes
use-caps-for-id: yes
and turned on prefetching to hopefully keep in cache the sites I visit regularly:
prefetch: yes
prefetch-key: yes
Finally, I also enabled statistics:
extended-statistics: yes
control-enable: yes
control-interface: 127.0.0.1
and ran sudo unbound-control-setup to generate the necessary keys.
Once unbound is restarted (sudo /etc/init.d/unbound restart) stats can be queried to make sure that the DNS resolver is working:
unbound-control stats
Overriding DHCP settings
In order to use my own unbound server for DNS lookups and not the one received via DHCP, I added this line to /etc/dhcp/dhclient.conf:
supersede domain-name-servers 127.0.0.1;
and restarted dhclient:
sudo killall dhclient
sudo killall dhclient
sudo /etc/init.d/network-manager restart
If you're not using DHCP, then you simply need to put this in your /etc/resolv.conf:
nameserver 127.0.0.1
Testing DNSSEC resolution
Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:
- http://www.dnssec.cz/ should show a green key
- http://www.rhybar.cz/ should not be reachable
and using dig:
$ dig +dnssec A www.dnssec.cz | grep ad ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
Are there any other ways of making sure that DNSSEC is fully functional?
First, Thank You for posting this. There is one more thing that needs to be done.
After following: http://www.unbound.net/documentation/howto_anchor.html
I was getting this error in /var/log/daemon.log:
error: Could not open autotrust file for writing, /etc/unbound/root.key: Permission denied
I changed the group to unbound and made it writable.
# cd /etc/unbound
# chgrp unbound root.key
# chmod g+w root.key
# ls -la root.key
-rw-rw-r-- 1 root unbound 758 Sep 21 16:46 root.key
After restarting unbound, no more errors. The root.key should look like the following:
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1285101992 ;;Tue Sep 21 16:46:32 2010
;;last_success: 1285101992 ;;Tue Sep 21 16:46:32 2010
;;next_probe_time: 1285141647 ;;Wed Sep 22 03:47:27 2010
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 86400 IN DNSKEY 257 3 8 AwEAAagAI......
Again Thank You, for this post.
"Are there any other ways of making sure that DNSSEC is fully functional?"
The following will give some info on dnssec. Install unbound-host, then try the following:
$ unbound-host rhybar.cz -f /etc/unbound/root.key -v
Output:
rhybar.cz has no address (BOGUS (security failure))
validation failure : no keys have a DS with algorithm RSASHA1 from 194.0.12.1 for key rhybar.cz. while building chain of trust
Or:
$ unbound-host rhybar.cz -C /etc/unbound/unbound.conf -v
Also:
$ unbound-host dnssec.cz -C /etc/unbound/unbound.conf -v
Output:
dnssec.cz has address 217.31.205.50 (secure)
dnssec.cz has IPv6 address 2001:1488:0:3::2 (secure)
dnssec.cz mail is handled by 10 mail.nic.cz. (secure)
dnssec.cz mail is handled by 15 mail4.nic.cz. (secure)
dnssec.cz mail is handled by 20 mx.cznic.org. (secure)
Or:
$ unbound-host dnssec.cz -f /etc/unbound/root.key -v