Now that the root DNS servers are signed, I thought it was time I started using DNSSEC on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using Unbound.
apt-get install unbound
/etc/unbound/unbound.conf.d/francois.conf, I enabled the following security options:
harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no # false positives with improperly configured zones use-caps-for-id: no # makes lots of queries fail hide-identity: yes hide-version: yes
and turned on prefetching to hopefully keep in cache the sites I visit regularly:
prefetch: yes prefetch-key: yes msg-cache-size: 128k msg-cache-slabs: 2 rrset-cache-size: 8m rrset-cache-slabs: 2 key-cache-size: 32m key-cache-slabs: 2 cache-min-ttl: 3600 num-threads: 2
Finally, I also enabled the control interface:
control-enable: yes control-interface: 127.0.0.1
and increased the amount of debugging information:
val-log-level: 2 use-syslog: yes verbosity: 1
sudo unbound-control-setup to generate the necessary keys.
Once unbound is restarted (
sudo service unbound restart) stats can be queried to make sure that the DNS resolver is working:
Overriding DHCP settings
In order to use my own unbound server for DNS lookups and not the one received via DHCP, I added this line to
supersede domain-name-servers 127.0.0.1;
and restarted dhclient:
sudo killall dhclient sudo killall dhclient sudo /etc/init.d/network-manager restart
If you're not using DHCP, then you simply need to put this in your
Testing DNSSEC resolution
Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:
and using dig:
$ dig +dnssec A www.dnssec.cz | grep ad ;; flags: qr rd ra <b>ad</b>; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
Are there any other ways of making sure that DNSSEC is fully functional?