Personal tools
You are here: Home Linux dns Enable DNSSEC for unbound resolver

Enable DNSSEC for unbound resolver

Retrieve the root KSK as trust-anchor and set it's permissions:

# unbound-anchor -a /etc/unbound/root.key
# chown unbound.unbound /etc/unbound/root.key

Configure unbound '/etc/unbound/unbound.conf':

auto-trust-anchor-file "/etc/unbound/root.key"

Reload the new configuration:

# service unbound reload

Validation

  • dig sigok.verteiltesysteme.net @127.0.0.1 (should return A record)
  • dig sigfail.verteiltesysteme.net @127.0.0.1 (should return SERVFAIL)

 

 

Links

Document Actions