Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Bry8 Star
Fri Aug 24 07:47:15 CEST 2012


Here is my config file, please see what is wrong:

# BEGIN of service.conf / unbound.conf file
server:
verbosity: 3
statistics-interval: 0
statistics-cumulative: "no"
extended-statistics: "no"
num-threads: 2
interface: 127.0.0.1
interface: 192.168.0.10
interface: ::1
interface-automatic: "no"
port: 53
outgoing-interface: 192.168.0.10
outgoing-range: 400
outgoing-port-permit: 52000-56096
outgoing-port-avoid:
"22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300"
outgoing-num-tcp: 10
incoming-num-tcp: 10
so-rcvbuf: 8m
so-sndbuf: 8m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 24m
msg-cache-slabs: 4
num-queries-per-thread: 200
jostle-timeout: 200
rrset-cache-size: 48m
rrset-cache-slabs: 4
cache-min-ttl: 0
cache-max-ttl: 21600
infra-host-ttl: 900
infra-cache-slabs: 4
infra-cache-numhosts: 10000
do-ip4: "yes"
do-ip6: "no" # for now
do-udp: "yes"
do-tcp: "yes"
tcp-upstream: "no"
do-daemonize: "yes"
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.10/24 allow
access-control: ::1 allow
logfile: "C:\Program Files\Unbound\unbound.log"
use-syslog: "no"
log-time-ascii: "yes"
log-queries: "no"
root-hints: "C:\Program Files\Unbound\named.cache"
hide-identity: "yes"
hide-version: "yes"
identity: "DNS"
version: "1.0.0"
target-fetch-policy: "3 2 1 1 1 1"
harden-short-bufsize: "no"
harden-large-queries: "no"
harden-glue: "yes"
harden-dnssec-stripped: "yes"
harden-below-nxdomain: "no"
harden-referral-path: "no"
use-caps-for-id: "no"
unwanted-reply-threshold: 1000
prefetch: "yes"
prefetch-key: "yes"
rrset-roundrobin: "yes"
minimal-responses: "no"
module-config: "validator iterator"
dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
# Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key
# DLV, DNS Lookaside Validation, for the root
auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#trust-anchor-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Standard DNS Zone file format, with DS, DNSKEY entries.
#trusted-keys-file: "<filename>"
# File with trusted keys for validation. Specify more
# than one file with several entries, one file per entry.
# Like trust-anchor-file, but in BIND-9 format.
domain-insecure: "42"
domain-insecure: "ovh"
domain-insecure: "bit"
domain-insecure: "ita"
domain-insecure: "geek"
# other TLDs that are inside other AltRootDNS
val-bogus-ttl: 60
val-sig-skew-max: 86400
val-clean-additional: "yes"
val-permissive-mode: "no"
ignore-cd-flag: "yes"
val-log-level: 2
#val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
key-cache-size: 24m
key-cache-slabs: 4
neg-cache-size: 4m
local-zone: "onion." refuse # disallow via public route
local-zone: "i2p." refuse # suppose to go via proxy route
remote-control:
control-enable: "no"
stub-zone:
 name: "42" # http://42registry.org/
 stub-addr: 91.191.147.246 # name / DNS Srvr
 stub-addr: 91.191.147.243
 stub-addr: 79.143.244.68
 # test with "search.42"
stub-zone:
 name: "ovh" # http://ovh.co.uk/
 stub-addr: 213.251.128.133 # name / DNS Srvr
 stub-addr: 213.251.188.133
stub-zone:
 name: "bit" # http://dot-bit.org
 stub-addr: 178.32.31.41  # name / DNS Srvr
 stub-addr: 108.174.61.249
 stub-addr: 78.47.86.43
 stub-addr: 96.127.133.37
 stub-addr: 69.194.226.23
 stub-addr: 194.71.109.237
 # test with "dot-bit.bit"
# OpenNIC : http://www.opennicproject.org/ :
# TLDs: .geek, .free, .bbs, .parody, .oss,
# .indy, .fur, .ing, .micro, .dyn, .neo,
# .pirate, gopher and null.
stub-zone:
 name: "opennicproj-rtDnsSrvr-randNum01.com"
 stub-addr: 66.244.95.20 # name / DNS Srvr
 stub-addr: 74.207.247.4
 stub-addr: 216.87.84.211
 stub-addr: 66.90.81.200
 stub-addr: 94.23.246.31
 stub-addr: 95.142.171.235
 stub-addr: 82.237.169.10
 stub-addr: 202.83.95.227
 stub-addr: 58.6.115.42
 stub-prime: no
 stub-first: no
stub-zone:
 name: "geek"
 stub-host: "ns.opennicproj-rtDnsSrvr-randNum01.com"
# test with "grep.geek"
# ... around 14 OpenNIC TLDs
# CesidianRoot :  http://www.cesidianroot.net/
# Cesidian Root proper (84 TLDs), they also resolve
# other Alt Root DNS's TLDs
stub-zone: # http://www2.world-dns.net/
 name: "cesidianroot-dnsSrvr-randNum02.net"
 stub-addr: 178.254.3.55  # name/DNS server
 stub-addr: 50.77.217.162
 stub-addr: 199.193.252.198
 stub-addr: 78.47.115.194
 stub-addr: 78.47.115.197
 stub-addr: 122.155.6.181
 stub-addr: 182.163.74.213
 stub-addr: 116.90.134.19
 stub-addr: 200.58.125.62
 stub-addr: 196.41.137.142
stub-zone:
 name: "ita"
 stub-host: "ns.cesidianroot-dnsSrvr-randNum02.net"
# test with "governo.ita"
# ... around 84 CesidinaRoot TLDs
forward-zone:
 name: "."
 forward-addr: i.p.adrs.1 # AT&T ISP # Recursive/Caching
 forward-addr: i.p.adrs.2 # AT&T ISP # Recursive/Caching
# END of service.conf / unbound.conf file

i can at least (inconsistently) do ping or nslookup or dig on test sites
in 42, ovh, bit TLDs,
but, could not do so for test sites in TLDs like geek, ita.

Thanks for your help in advance,
Bry8Star.



On 8/22/2012 9:20 PM, Bry8 Star wrote:
> Hi,
> There are many other Root servers other than ICANN Root servers. For
> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
> (http://www.opennicproject.org/), New Nations (New-Nations.net),
> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
> (unifiedroot.com), etc.
> 
> How can i integrate all into one Unbound or into a central Unbound ? to
> use their all TLDs, which are not found in default ICANN/IANA root servers.
> 
> For example, i had to add these in unbound.conf/service.conf for '42' TLD:
> 
> domain-insecure: "42"
> stub-zone:
>  name: "42"
>   stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
>   stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
>   stub-addr: 79.143.244.68  # 42Registry c.42tld-servers.net europe
> 
> now with the above 6 lines, i could not ping or browse the website at
> "search.42" :( but 'dig', 'nslookup' does resolve/show successfully ns,
> a , etc records.
> i tried "dig 42. any +dnssec", but flag does not show 'ad' bit, only
> shows 'qr rd ra'. answer does show 'SOA' with "a.42tld-servers.net.
> tech.42registry.org.", and 4 'NS' shows "a/b/c/d.42tld-servers.net.".
> 
> so what is/are wrong ?
> if 42 TLD supports/has DNSSEC components, then how can i use them ? or
> how to enable DNSSEC for 42 TLD ?
> 
> Similar like above, i added domain-insecure and stub-zone for .bit TLD
> in 'unbound.conf' / 'service.conf' file. The 'ping', 'nslookup', 'dig'
> etc worked on the http://dot-bit.bit/ site/host/domain. :)
> 
> The CesidianRoot proper, root dns server/system, has at least 84 TLDs of
> their own. And they can also resolve other TLDs from other root dns
> servers.
> i added all of them (cesidianRoot and other root's TLDs) in this way,
> i'm showing only few TLD example instead of all 84 TLDs here:
> 
> domain-insecure: "5wc"
> domain-insecure: "cesidio"
> domain-insecure: "linna"
> domain-insecure: "free"
> ...
> stub-zone:
>  name: "cesidianroot-dnsSrv-randNum1.net"
>   stub-addr: 178.254.3.55    # Master CesidianRoot.net Root Server
>   stub-addr: 50.77.217.162   # CesidianRoot.net North America
>   stub-addr: 199.193.252.198 # CesidianRoot.net North America
>   stub-addr: 78.47.115.194   # CesidianRoot.net Europe
>   stub-addr: 78.47.115.197   # CesidianRoot.net Europe
>   stub-addr: 122.155.6.181   # CesidianRoot.net South-East Asia
>   stub-addr: 182.163.74.213  # CesidianRoot.net South-East Asia
>   stub-addr: 116.90.134.19   # CesidianRoot.net Australia & Ocenia
>   stub-addr: 200.58.125.62   # CesidianRoot.net South America
>   stub-addr: 196.41.137.142  # CesidianRoot.net Sub-Saharan Africa
> stub-zone:
>  name: "5wc"
>   stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
> stub-zone:
>  name: "cesidio"
>   stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
> stub-zone:
>  name: "linna"
>   stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
> stub-zone:
>  name: "free"
>   stub-host: "ns.cesidianroot-dnsSrv-randNum1.net"
> ...
> 
> but when i tried to do ping/nslookup/dig on any TLD randomly from
> CesidianRoot, then none of the tool worked. ! :( :-(
> 
> What is/are wrong ? i used this "cesidianroot-dnsSrv-randNum1.net"
> domain-name because such does not exist in real-life. do i need to
> define/declare 'ns' & 'cesidianroot-dnsSrv-randNum1.net' which are used
> in stub-host : "ns.cesidianroot-dnsSrv-randNum1.net" line ?
> 
> And please help me to have a solution, where i dont have to use those 10
> stub-addr dns server of CesidianRoot for all of those 84 TLDs for 84
> times, then it will become at least 11 x 84 lines of codes ! how can i
> reduce line numbers ?
> 
> if cesidianroot TLDs supports/has DNSSEC components/records, then how
> can i use them or how to enable DNSSEC for CesidianRoot ?
> 
> CesidianRoot can also resolve TLDs authoritatively maintained by
> New-Nations.net root system, and i-DNS.net Root system. All of those
> TLDs are currently using 'ns.cesidianroot-dnsSrv-randNum1.net' as
> stub-host currently in 'service.conf' / 'unbound.conf' file. Since
> CesidinaRoot is not SOA / AA / DS of New-Nations.net & i-DNS.net TLDs,
> am i suppose to change the stub-host of those TLDs from
> 'ns.cesidianroot-dnsSrv-randNum1.net' into
> 'ns.new-nations-net-dnsSrv-randNum1.net' /
> 'ns.i-dns-net-dnsSrv-randNum1.net' ?
> 
> if i could use CesidianRoot with DNSSEC via unbound (along with the
> default ICANN provided TLDs), then i could apply similar method/approach
> for other root dns server, which are similar.
> 
> by the way, your irc channel #unbound in irc.freenode.net is very
> in-active, and some users who did post some messages, instead of helping
> out, they question the 'question' ! or question the 'user' who is
> posting the question or asking for help ! instead of asking more about
> the problem itself, and what can be done to solve it ! very unfriendly
> attitudes. Most likely these users does not like to help others, or
> grumpy, or busy with something else, or expecting something else from users.
> 
> in website, please add sha1, sha256 hash/checksum of windows binary
> files, thanks.
> 
> Thanks for your all help.
> ~ Bry8Star.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users