Skip to content. | Skip to navigation

Sections

Personal tools

Log in

You are here: Home → Linux → dns → Enable DNSSEC for unbound resolver

Recent Changes: Intel Xeon-D x552/x557 10baseT fails to negiotiate a 10Gb link Aug 20, 2023; Images Aug 11, 2023; X10SDV-8C-TLN4F Aug 11, 2023; CPU Requirement for Rocky Linux v9 (And Redhat Enterprise Linux v9) Feb 24, 2023; Rocky Linux Feb 23, 2023; Images Jul 19, 2022; Rocky Jul 19, 2022; Runtime tweak of US-16-XG switch trunk for ESXi Apr 12, 2019; Ubiquiti US-16-XG 10GbE switch command line Apr 10, 2019; Flash Intel iSCSI NIC firmware Mar 04, 2019; Add a static route to a Netonix WS-6-MINI switch Nov 17, 2018; Install and configure Dovecot on CentOS 6 as an IMAP server Sep 06, 2018; All recent changes…

Enable DNSSEC for unbound resolver

Retrieve the root KSK as trust-anchor and set it's permissions:

# unbound-anchor -a /etc/unbound/root.key
# chown unbound.unbound /etc/unbound/root.key

Configure unbound '/etc/unbound/unbound.conf':

auto-trust-anchor-file "/etc/unbound/root.key"

Reload the new configuration:

# service unbound reload

Validation

dig sigok.verteiltesysteme.net @127.0.0.1 (should return A record)
dig sigfail.verteiltesysteme.net @127.0.0.1 (should return SERVFAIL)

Links

Document Actions