Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Paul Wouters
Fri Aug 24 00:40:25 CEST 2012


On Wed, 22 Aug 2012, Bry8 Star wrote:

> There are many other Root servers other than ICANN Root servers. For
> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
> (http://www.opennicproject.org/), New Nations (New-Nations.net),
> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
> (unifiedroot.com), etc.

And we had alternic, alternet, .bofh and many others. They all died.

> How can i integrate all into one Unbound or into a central Unbound ? to
> use their all TLDs, which are not found in default ICANN/IANA root servers.

How are you going to deal with overlapping domain names?

> For example, i had to add these in unbound.conf/service.conf for '42' TLD:
>
> domain-insecure: "42"
> stub-zone:
> name: "42"
>  stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
>  stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
>  stub-addr: 79.143.244.68  # 42Registry c.42tld-servers.net europe

Try using forward zone? either in config or using:

sudo unbound-control forward_add 42 91.191.147.246 91.191.147.243 79.143.244.68

> if 42 TLD supports/has DNSSEC components, then how can i use them ? or
> how to enable DNSSEC for 42 TLD ?

You can preload any dnssec key with trusted-keys-file: 
What you are doing (at the root) is not much different from adding
"private views" higher up. So googling for "bind views" might help you
as well.

> by the way, your irc channel #unbound in irc.freenode.net is very
> in-active, and some users who did post some messages, instead of helping
> out, they question the 'question' ! or question the 'user' who is
> posting the question or asking for help ! instead of asking more about
> the problem itself, and what can be done to solve it ! very unfriendly
> attitudes. Most likely these users does not like to help others, or
> grumpy, or busy with something else, or expecting something else from users.

What you are trying to accomplish is wrong. Scattering roots and losing
the global agreement on an address is just bad. I recommend you read:

http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

Paul