Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Leen Besselink
Thu Aug 23 11:14:57 CEST 2012


On Wed, Aug 22, 2012 at 09:20:08PM -0700, Bry8 Star wrote:
> Hi,

Hi,

> There are many other Root servers other than ICANN Root servers. For
> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
> (http://www.opennicproject.org/), New Nations (New-Nations.net),
> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
> (unifiedroot.com), etc.
> 
> How can i integrate all into one Unbound or into a central Unbound ? to
> use their all TLDs, which are not found in default ICANN/IANA root servers.
> 

That is gonna be an interresting journey to get that working if you want
DNSSEC.

Extra root servers, especially with DNSSEC, seems kind of unlikely to me.

As the ICANN root is signed, you can't really add other data to a signed zone
at the same level as far as I know.

Extra TLD's should be possible.

You'll need a stub-zone and (auto-)trust-anchor for each TLD that supports DNSSEC.

However a validating resolver on a desktop/laptop/mobile device which does not
have that installed would reject the data.

Not many of those around though. Not yet anyway, but Chrome already has a DNSSEC-validator,
they are adding a DNS-resolver and they have a way of updating the root key. 

The solution for not having to create such a large configuration file might
be that someone,  probably the alternative root or TLD operators, could create
a DLV-registery.

That might help.
 
But I'm not expert on DLV.

> Thanks for your all help.
> ~ Bry8Star.