Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Bry8 Star
Mon Aug 27 05:34:24 CEST 2012



On 8/23/2012 3:40 PM, Paul Wouters wrote:
> On Wed, 22 Aug 2012, Bry8 Star wrote:
> 
>> There are many other Root servers other than ICANN Root servers. For
>> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
>> (http://www.opennicproject.org/), New Nations (New-Nations.net),
>> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
>> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
>> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
>> (unifiedroot.com), etc.
> 
> And we had alternic, alternet, .bofh and many others. They all died.
> 

and new ones are also starting up, you did not mentioned those !

On 8/23/2012 3:40 PM, Paul Wouters wrote:
> On Wed, 22 Aug 2012, Bry8 Star wrote:
>
>> How can i integrate all into one Unbound or into a central Unbound ? to
>> use their all TLDs, which are not found in default ICANN/IANA root
>> servers.
> 
> How are you going to deal with overlapping domain names?
> 

it would be upto end-user like me to choose which one i want to reach,
or, what technique i can apply to reach into both area. What do you
suggest to solve a problem like this ? how can i reach both side ? could
i re-map such one TLD onto another one or add '2' at end, and use ? How
to do that on 'Unbound' ?

On 8/23/2012 3:40 PM, Paul Wouters wrote:
> On Wed, 22 Aug 2012, Bry8 Star wrote:
>
>> For example, i had to add these in unbound.conf/service.conf for '42'
>> TLD:
>>
>> domain-insecure: "42"
>> stub-zone:
>> name: "42"
>>  stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe
>>  stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe
>>  stub-addr: 79.143.244.68  # 42Registry c.42tld-servers.net europe
> 
> Try using forward zone? either in config or using:
> 
> sudo unbound-control forward_add 42 91.191.147.246 91.191.147.243
> 79.143.244.68
> 

i'm not understanding your command, what will it do ? currently 42 is
resolving fine, please see my other email. the mentioned IP addresses
are their nameservers, aren't nameservers suppose to be added inside
'stub-zone' in unbound ? those are not able to resolve icann/iana root
TLDs. and i dont remote control unbound.

On 8/23/2012 3:40 PM, Paul Wouters wrote:
> On Wed, 22 Aug 2012, Bry8 Star wrote:
>
>> if 42 TLD supports/has DNSSEC components, then how can i use them ? or
>> how to enable DNSSEC for 42 TLD ?
> 
> You can preload any dnssec key with trusted-keys-file: What you are
> doing (at the root) is not much different from adding
> "private views" higher up. So googling for "bind views" might help you
> as well.
> 

Thanks. Need an unbound config file commands/options. Please response
using the other email on this.

On 8/23/2012 3:40 PM, Paul Wouters wrote:
> On Wed, 22 Aug 2012, Bry8 Star wrote:
>
>> by the way, your irc channel #unbound in irc.freenode.net is very
>> in-active, and some users who did post some messages, instead of helping
>> out, they question the 'question' ! or question the 'user' who is
>> posting the question or asking for help ! instead of asking more about
>> the problem itself, and what can be done to solve it ! very unfriendly
>> attitudes. Most likely these users does not like to help others, or
>> grumpy, or busy with something else, or expecting something else from
>> users.
> 
> What you are trying to accomplish is wrong. Scattering roots and losing
> the global agreement on an address is just bad. I recommend you read:
> 
> http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/
> 
> 
> Paul

Hello Paul, TRY to see what kind of mistake you are doing: you are
saying me "What you are trying to accomplish is wrong" ! ... please
direct that to alternative Root server operators or related person, and,
also to icann/iana related person. Not an end user like me.  End user
like me who is trying to use 'Unbound' like DNS resolver (and not a DNS
server) on end-user OS like Windows XP,7, will use what already exists.

Probably, if you read carefully, you will see, my target is to integrate
and use TLDs that are already in icann/iana/etc, AND also use other TLDs
that are in other alternative root servers. 'Unbound' by default already
uses ICANN/iana/etc, want to resolve/add more TLDs which they cannot
resolve.

I'm in mailing list, and started this email-thread, in the hope that
there may be some people who are willing help on to get a working
solution, not for discussing other issues.