DNSSEC is a mechanism to protect DNS data. It uses digital signatures. To use it the public keys must be configured. Below this is explained.
These are the 2008 trust anchors. Please verify your country's trust anchor via your local registry.
Create a directory /etc/unbound/anchors with the files that
hold the trust anchors. You can put it somewhere else, accessible to the
unbound daemon, if your daemon runs from /var/unbound or
/usr/local/etc/unbound you can put it there.
; /etc/unbound/anchors/br.anchor br. DS 18457 5 1 1067149C134A5B5FF8FC5ED0996E4E9E50AC21B1 br. DS 61207 5 1 637724A380ECE3426F5EBDCD6795AD4F729AB3E9 |
; /etc/unbound/anchors/se.anchor se. DS 49678 5 1 6672948B37E6B7B3EFE87FB711849EF17786C8E3 se. DS 6166 5 1 CE2B007F6D000B064B4A82E8840C19D3D09B8F8E |
; /etc/unbound/anchors/bg.anchor bg. DS 61993 5 1 ABC9B1EB085C12AB3214BC5B08269C24B918B623 |
; /etc/unbound/anchors/pr.anchor pr. DS 2684 5 1 f461055cf27925a56bf9cff1826e946235be2767 |
In the config file, include the anchor files, like this:
server:
# chroot disabled here as example, to make pathnames work
chroot: ""
directory: "/etc/unbound"
# trust anchors. In separate files, to be updated from cron.
trust-anchor-file: "/etc/unbound/anchors/br.anchor"
trust-anchor-file: "/etc/unbound/anchors/se.anchor"
trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
# ... more trust anchors
|
Now enable automatic tracking of the trust anchors with a crontab entry. This entry checks for updates to the keys every day. This solution uses a simple script to perform the update checks. The recent RFC5011 rollover tracking standard, when implementations for it are ready, can be used as well for this task.
copy the contrib/update-anchor.sh script from
the unbound source tarball to a location on your system (here:
/usr/local/bin).
This script updates the trust anchor files when called. We set it to be
called daily, even though trust anchors update only once per month or once
per year usually. This makes sure it all works and you won't miss an update due
to timing. The script exits with exit value 0 when the daemon
has to be restarted. So, we need to call, in pseudo code:
update-anchor.sh -d mydir && restart_daemon_command from
cron daily. The script can can handle BIND-config files with
the -b option.
If you use anacron; make a file in
/etc/cron.daily/update-anchor with contents:
#!/bin/sh # this command updates the |
If you use cron (the directory /etc/cron.daily does not exist),
create a crontab entry (crontab -e as root) like this:
0 11 * * * /usr/local/etc/update-anchor.sh -d /etc/unbound/anchors && /etc/init.d/unbound reload |