Unbound: Howto enable DNSSEC

By W.C.A. Wijngaards, NLnet Labs, August 2008.

DNSSEC is a mechanism to protect DNS data. It uses digital signatures. To use it the public keys must be configured. Below this is explained.

These are the 2008 trust anchors. Please verify your country's trust anchor via your local registry.

Create a directory /etc/unbound/anchors with the files that hold the trust anchors. You can put it somewhere else, accessible to the unbound daemon, if your daemon runs from /var/unbound or /usr/local/etc/unbound you can put it there. 

; /etc/unbound/anchors/br.anchor
br. DS 18457 5 1 1067149C134A5B5FF8FC5ED0996E4E9E50AC21B1
br. DS 61207 5 1 637724A380ECE3426F5EBDCD6795AD4F729AB3E9

; /etc/unbound/anchors/se.anchor
se. DS 49678 5 1 6672948B37E6B7B3EFE87FB711849EF17786C8E3
se. DS  6166 5 1 CE2B007F6D000B064B4A82E8840C19D3D09B8F8E

; /etc/unbound/anchors/bg.anchor
bg. DS 61993 5 1 ABC9B1EB085C12AB3214BC5B08269C24B918B623

; /etc/unbound/anchors/pr.anchor
pr. DS  2684 5 1 f461055cf27925a56bf9cff1826e946235be2767

In the config file, include the anchor files, like this: 

server:
        # trust anchors. In separate files, to be updated from cron.
        trust-anchor-file: "/etc/unbound/anchors/br.anchor"
        trust-anchor-file: "/etc/unbound/anchors/se.anchor"
        trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
        trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
	# ... more trust anchors

Now enable automatic tracking of the trust anchors with a crontab entry. This entry checks for updates to the keys every day. This solution uses a simple script to perform the update checks. The recent RFC5011 rollover tracking standard, when implementations for it are ready, can be used as well for this task.

copy the contrib/update-anchor.sh script from the unbound source tarball to a location on your system (here: /usr/local/bin).

This script updates the trust anchor files when called. We set it to be called daily, even though trust anchors update only once per month or once per year usually. This makes sure it all works and you won't miss an update due to timing. The script exits with exit value 0 when the daemon has to be restarted. So, we need to call, in pseudo code: update-anchor.sh -d mydir && restart_daemon_command from cron daily. The script can can handle BIND-config files with the -b option.

If you use anacron; make a file in /etc/cron.daily/update-anchor with contents: 

#!/bin/sh
# this command updates the .anchor files in the directory
# and performs the rc.d restart for the daemon if they changed.
/usr/local/bin/update-anchor.sh -d /etc/unbound/anchors && \
/etc/init.d/unbound reload

If you use cron (the directory /etc/cron.daily does not exist), create a crontab entry (crontab -e as root) like this:

0 11 * * * /usr/local/etc/update-anchor.sh -d /etc/unbound/anchors && 
/etc/init.d/unbound reload