Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Bry8 Star
Thu Aug 23 06:20:08 CEST 2012


Hi,
There are many other Root servers other than ICANN Root servers. For
example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
(http://www.opennicproject.org/), New Nations (New-Nations.net),
Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
(http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
(unifiedroot.com), etc.

How can i integrate all into one Unbound or into a central Unbound ? to
use their all TLDs, which are not found in default ICANN/IANA root servers.

For example, i had to add these in unbound.conf/service.conf for '42' TLD:

domain-insecure: "42"
stub-zone:
 name: "42"
  stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
  stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
  stub-addr: 79.143.244.68  # 42Registry c.42tld-servers.net europe

now with the above 6 lines, i could not ping or browse the website at
"search.42" :( but 'dig', 'nslookup' does resolve/show successfully ns,
a , etc records.
i tried "dig 42. any +dnssec", but flag does not show 'ad' bit, only
shows 'qr rd ra'. answer does show 'SOA' with "a.42tld-servers.net.
tech.42registry.org.", and 4 'NS' shows "a/b/c/d.42tld-servers.net.".

so what is/are wrong ?
if 42 TLD supports/has DNSSEC components, then how can i use them ? or
how to enable DNSSEC for 42 TLD ?

Similar like above, i added domain-insecure and stub-zone for .bit TLD
in 'unbound.conf' / 'service.conf' file. The 'ping', 'nslookup', 'dig'
etc worked on the http://dot-bit.bit/ site/host/domain. :)

The CesidianRoot proper, root dns server/system, has at least 84 TLDs of
their own. And they can also resolve other TLDs from other root dns
servers.
i added all of them (cesidianRoot and other root's TLDs) in this way,
i'm showing only few TLD example instead of all 84 TLDs here:

domain-insecure: "5wc"
domain-insecure: "cesidio"
domain-insecure: "linna"
domain-insecure: "free"
...
stub-zone:
 name: "cesidianroot-dnsSrv-randNum1.net"
  stub-addr: 178.254.3.55    # Master CesidianRoot.net Root Server
  stub-addr: 50.77.217.162   # CesidianRoot.net North America
  stub-addr: 199.193.252.198 # CesidianRoot.net North America
  stub-addr: 78.47.115.194   # CesidianRoot.net Europe
  stub-addr: 78.47.115.197   # CesidianRoot.net Europe
  stub-addr: 122.155.6.181   # CesidianRoot.net South-East Asia
  stub-addr: 182.163.74.213  # CesidianRoot.net South-East Asia
  stub-addr: 116.90.134.19   # CesidianRoot.net Australia & Ocenia
  stub-addr: 200.58.125.62   # CesidianRoot.net South America
  stub-addr: 196.41.137.142  # CesidianRoot.net Sub-Saharan Africa
stub-zone:
 name: "5wc"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
 name: "cesidio"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
 name: "linna"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
stub-zone:
 name: "free"
  stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
...

but when i tried to do ping/nslookup/dig on any TLD randomly from
CesidianRoot, then none of the tool worked. ! :( :-(

What is/are wrong ? i used this "cesidianroot-dnsSrv-randNum1.net"
domain-name because such does not exist in real-life. do i need to
define/declare 'ns' & 'cesidianroot-dnsSrv-randNum1.net' which are used
in stub-host : "ns.cesidianroot-dnsSrv-randNum1.net" line ?

And please help me to have a solution, where i dont have to use those 10
stub-addr dns server of CesidianRoot for all of those 84 TLDs for 84
times, then it will become at least 11 x 84 lines of codes ! how can i
reduce line numbers ?

if cesidianroot TLDs supports/has DNSSEC components/records, then how
can i use them or how to enable DNSSEC for CesidianRoot ?

CesidianRoot can also resolve TLDs authoritatively maintained by
New-Nations.net root system, and i-DNS.net Root system. All of those
TLDs are currently using 'ns.cesidianroot-dnsSrv-randNum1.net' as
stub-host currently in 'service.conf' / 'unbound.conf' file. Since
CesidinaRoot is not SOA / AA / DS of New-Nations.net & i-DNS.net TLDs,
am i suppose to change the stub-host of those TLDs from
'ns.cesidianroot-dnsSrv-randNum1.net' into
'ns.new-nations-net-dnsSrv-randNum1.net' /
'ns.i-dns-net-dnsSrv-randNum1.net' ?

if i could use CesidianRoot with DNSSEC via unbound (along with the
default ICANN provided TLDs), then i could apply similar method/approach
for other root dns server, which are similar.

by the way, your irc channel #unbound in irc.freenode.net is very
in-active, and some users who did post some messages, instead of helping
out, they question the 'question' ! or question the 'user' who is
posting the question or asking for help ! instead of asking more about
the problem itself, and what can be done to solve it ! very unfriendly
attitudes. Most likely these users does not like to help others, or
grumpy, or busy with something else, or expecting something else from users.

in website, please add sha1, sha256 hash/checksum of windows binary
files, thanks.

Thanks for your all help.
~ Bry8Star.