Maintained by: NLnet Labs

[Unbound-users] What is needed for dnssec?

Ondřej Surý
Tue Feb 14 16:03:03 CET 2012


On Tue, Feb 14, 2012 at 10:03, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 02/14/2012 12:46 AM, Marcel van Beurden wrote:
>>
>> Hi all,
>>
>> I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
>> my local hostnames, provide me with DNSSEC and IPv6 support.
>>
>> My 1st question is a general DNSSEC question. What do I need to have on my
>> desktop pc to have Firefox with the DNSSEC Validator addon to validate
>> DNSSEC-enabled websites? I have installed Unbound on my server (Debian
>> 6.0)
>
>
> That depends on how the firefox plugin works. It may DNSSEC itself, and
> merely require a DNSSEC-aware upstream resolver.

> Or it may require the
> upstream resolver to do DNSSEC and set the "ad" flag.

This one, but we are thinking to move it closer to application and do
validation inside DNSSEC Validator.

>> and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
>> does not seem to work. So I also installed Unbound on my desktop, and then
>> it seems to work. Is this how it's supposed to work?
>
>
> Care to be more specific about what "does not seem to work" means?
>
> With unbound on your server, you should be able to do:
>
> dig +dnssec @server <signed name>
>
> ...and get back a response with the "ad" flag set e.g.
>
> $ dig +dnssec org ns
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
>                   ^^ AD flag set

O.
-- 
Ondřej Surý <ondrej at sury.org>