Maintained by: NLnet Labs

[Unbound-users] What is needed for dnssec?

Robert Edmonds
Tue Feb 14 16:53:44 CET 2012


Ondřej Surý wrote:
> On Tue, Feb 14, 2012 at 10:03, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > On 02/14/2012 12:46 AM, Marcel van Beurden wrote:
> >>
> >> Hi all,
> >>
> >> I'm new to Unbound and DNSSEC. I'm using it on my home network to serve up
> >> my local hostnames, provide me with DNSSEC and IPv6 support.
> >>
> >> My 1st question is a general DNSSEC question. What do I need to have on my
> >> desktop pc to have Firefox with the DNSSEC Validator addon to validate
> >> DNSSEC-enabled websites? I have installed Unbound on my server (Debian
> >> 6.0)
> >
> >
> > That depends on how the firefox plugin works. It may DNSSEC itself, and
> > merely require a DNSSEC-aware upstream resolver.
> 
> > Or it may require the
> > upstream resolver to do DNSSEC and set the "ad" flag.
> 
> This one, but we are thinking to move it closer to application and do
> validation inside DNSSEC Validator.
> 
> >> and have my desktop pc (Ubuntu 11.10) use my server as DNS-server. This
> >> does not seem to work. So I also installed Unbound on my desktop, and then
> >> it seems to work. Is this how it's supposed to work?
> >
> >
> > Care to be more specific about what "does not seem to work" means?
> >
> > With unbound on your server, you should be able to do:
> >
> > dig +dnssec @server <signed name>
> >
> > ...and get back a response with the "ad" flag set e.g.
> >
> > $ dig +dnssec org ns
> > ...
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
> >                   ^^ AD flag set

if the validator plugin requires the AD flag then that explains the
poster's different results between debian and ubuntu.

the "ubuntu" unbound package is pretty much just the debian unbound
package (with the minor exception that, because ubuntu releases so
often, they end up doing more security updates for their distribution's
releases), and i introduced DNSSEC validation by default (with the help
of unbound-anchor) in versions >= 1.4.9-1, which is after the stable
release of debian (6.0/squeeze), but has probably been included in
several ubuntu releases by now.  also note that newer unbound packages
for debian stable that do DNSSEC validation by default are available in
the debian backports repository.

-- 
Robert Edmonds
edmonds at debian.org