Maintained by: NLnet Labs

[Unbound-users] What is needed for dnssec?

Marcel van Beurden
Wed Feb 15 00:05:46 CET 2012

On 14-02-12 10:03, Phil Mayers wrote:
> With unbound on your server, you should be able to do:
> dig +dnssec @server <signed name>
> ...and get back a response with the "ad" flag set e.g.
> $ dig +dnssec org ns
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 7
>                    ^^ AD flag set

This now works. I have solved it by adding the following line to my
unbound.conf on my server:

auto-trust-anchor-file: "/etc/unbound/root.key"

I thought this path would be the default path and was not needed to
specify. But it is. I removed unbound from my desktop pc as it's not needed.

Maybe unbound-anchor should add this line to unbound.conf automatically or
at least check/warn the user if it is incorrect.

Thanks all for the help.