Maintained by: NLnet Labs

[Unbound-users] What is needed for dnssec?

Marcel van Beurden
Tue Feb 14 19:27:30 CET 2012


Hi,

On 14-02-12 16:53, Robert Edmonds wrote:
>>> With unbound on your server, you should be able to do:
>>>
>>> dig +dnssec @server <signed name>
>>>
>>> ...and get back a response with the "ad" flag set e.g.
>>>
>>> $ dig +dnssec org ns
>>> ...
>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
>>>                   ^^ AD flag set

When I type this command on both my server and desktop machine, I don't see
the AD flag.

I this with dig version 9.7.3.

> if the validator plugin requires the AD flag then that explains the
> poster's different results between debian and ubuntu.
> 
> the "ubuntu" unbound package is pretty much just the debian unbound
> package (with the minor exception that, because ubuntu releases so
> often, they end up doing more security updates for their distribution's
> releases), and i introduced DNSSEC validation by default (with the help
> of unbound-anchor) in versions >= 1.4.9-1, which is after the stable
> release of debian (6.0/squeeze), but has probably been included in
> several ubuntu releases by now.  also note that newer unbound packages
> for debian stable that do DNSSEC validation by default are available in
> the debian backports repository.

Unbound version on server (Debian): 1.4.14-2~bpo60+1
Unbound version on Ubuntu: 1.4.12-1ubuntu1

Marcel