Maintained by: NLnet Labs

[Unbound-users] What is needed for dnssec?

Phil Mayers
Tue Feb 14 10:03:47 CET 2012

On 02/14/2012 12:46 AM, Marcel van Beurden wrote:
> Hi all,
> I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
> my local hostnames, provide me with DNSSEC and IPv6 support.
> My 1st question is a general DNSSEC question. What do I need to have on my
> desktop pc to have Firefox with the DNSSEC Validator addon to validate
> DNSSEC-enabled websites? I have installed Unbound on my server (Debian 6.0)

That depends on how the firefox plugin works. It may DNSSEC itself, and 
merely require a DNSSEC-aware upstream resolver. Or it may require the 
upstream resolver to do DNSSEC and set the "ad" flag.

> and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
> does not seem to work. So I also installed Unbound on my desktop, and then
> it seems to work. Is this how it's supposed to work?

Care to be more specific about what "does not seem to work" means?

With unbound on your server, you should be able to do:

dig +dnssec @server <signed name>

...and get back a response with the "ad" flag set e.g.

$ dig +dnssec org ns
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
                    ^^ AD flag set