Maintained by: NLnet Labs

[Unbound-users] dnssec via forwarder

lst_hoe02 at kwsoft.de
Thu Dec 2 13:07:44 CET 2010 

Zitat von Andreas Schulze <andreas.schulze at datev.de>:

> Hello,
>
> I have a remote system as resolver using unbound-1.4.7.
> On my local system I configured unbound-1.4.7 also as forwarder to  
> the remote system.
>
> --- snip
> forward-zone:
>         name: "."
> 	# 192.0.2.53 is the remote resolver
>         forward-addr: 192.0.2.53
> --- snap
>
> Resolving at all works fine.
>
> On my local system I have the The DNSSEC Validator Plugin from  
> dnssec-validator.cz
> installed. If I configure this Plugin to use the remote server as Resolver
> then the Plugin shows me a green label in Firefox for dnssec-validator.cz.
>
> If I configure the Plugin to use the local Resolver, the  
> Validatorplugin shows me
> a yellow label saying "The domain name is secured with DNSSEC technology,
>  but the DNS server resolver used cannot verify the signature validity."
>
> I'm unsure, if this is an Error in the Plugin or I have misconfigured
> my forwarding unbound.
>
> any hints ?
>
> Thanks
> Andreas

Hello

You could start by checking "by-hand" eg. with

dig @remote-resolver some-secured.site +dnssec

and

dig @local-resolver some-secured.site +dnssec

If you get the "ad" in the resulting dig output DNSSEC validation succeed.

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 dnssec-validator.cz A +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38884
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-validator.cz.		IN	A

;; ANSWER SECTION:
dnssec-validator.cz.	6829	IN	A	217.31.205.50
dnssec-validator.cz.	6829	IN	RRSIG	A 5 2 7200 20101214170301  
20101130170301 29165 dnssec-validator.cz.  
BuwS/JyQDPYg3i8VHJslEOPSa/znhsOfne03I3RvyVx0cutXFj2a+ddc  
rEA0fC6abDZr3njhTlcwdJS11Mcl3ObHKGBY1445DaG8jUtncgAN1v+R  
MeN6S1QeJsTuyWuwrA7oOv66U8Okl6xXTX6Sn58AGdImIipetvSJW1fj t/M=

;; AUTHORITY SECTION:
dnssec-validator.cz.	6822	IN	NS	d.ns.nic.cz.
dnssec-validator.cz.	6822	IN	NS	b.ns.nic.cz.
dnssec-validator.cz.	6822	IN	NS	a.ns.nic.cz.
dnssec-validator.cz.	6841	IN	RRSIG	NS 5 2 7200 20101214170301  
20101130170301 29165 dnssec-validator.cz.  
HggDIcJc5TOozaazxWKg3KWo3EISMRsRH+ZLVR65nW9vE5zNrMaFYIPU  
lqwMDH390beC52WFJG0kRNzx/s7xxuZ8UW9oZsFEWUAuXZfC59xlsk+0  
AzDN6FD/Q9MNqXBAZgfIlSdkkBZWMzXAJfaUj90PIvLJ0V2o+nluiFl4 4dw=

Regards

Andreas