Maintained by: NLnet Labs

[Unbound-users] DNSSEC Validation

Abdalmonem Tharwat Galila
Fri Sep 19 13:15:00 CEST 2014


Server No 1 for UnBound "172.16.96.196":-

I am already add 
trust-anchor: "myTLD.		IN DS 18016 7 2 C160C68025F1909143A28296355EA3999B98A1D10752124154UC84BC 4DE82627"

service unbound restart >>> ok

Server No 2 for UnBound :-

This server contain the signed  zone add to named.conf , i edited /etc/resolv.conf to point to the server no 1 "nameserver -------- ".
when i try to dig myDOmain.myTLD "A record" , 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +dnssec myDOmain.myTLD +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50746
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;myDOmain.myTLD.		IN A

;; Query time: 0 msec
;; SERVER: 172.16.96.196#53(172.16.96.196)
;; WHEN: Fri Sep 19 14:11:40 2014
;; MSG SIZE  rcvd: 49

Could you advise ?
Really appreciate your replay.

________________________________________
From: Unbound-users [unbound-users-bounces at unbound.net] on behalf of W.C.A. Wijngaards [wouter at nlnetlabs.nl]
Sent: Friday, September 19, 2014 1:00 PM
To: Abdelmeniem Tharwat; unbound-users at unbound.net
Subject: Re: [Unbound-users] DNSSEC Validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Abdelmeniem,

Copy the DS record in a text file:
echo " .... DS record ... " > mykeyfile

Change unbound.conf:
trust-anchor-file: "mykeyfile"

restart unbound.

Best regards,
   Wouter

On 09/19/2014 11:14 AM, Abdelmeniem Tharwat wrote:
> I am already signed my zone , and have a DS record , but can not
> know how to upload this DS to unbound ? and How to add my zone to
> UnBound ? Could you explain this step by step ? I am using Red-Hat
> Linux. Thnx alot
>
>
> -----Original Message----- From: Unbound-users on behalf of W.C.A.
> Wijngaards Sent: Fri 19/09/2014 09:01 AM To:
> unbound-users at unbound.net Subject: Re: [Unbound-users] DNSSEC
> Validation
>
> Hi Adbalmonem,
>
> You need to sign your zone.  Then load the public key into unbound
> (with trust-anchor-file: "myfile" and myfile is a text file with
> the DNS resource records for the zone public key in it, you could
> simply copy them from the zonefile).
>
> Best regards, Wouter
>
> On 09/18/2014 08:51 PM, Abdalmonem Tharwat Galila wrote:
>> Any update !!!
>
>> Sent from my iPhone
>
>>> On Sep 17, 2014, at 7:43 PM, Abdalmonem Tharwat Galila
>>> <agalila at mcit.gov.eg> wrote:
>>>
>>> Hi , How can I add my local zone to be DNSSEC validated in
>>> unbound ?
>>>
>>> Sent from my iPhone
>> _______________________________________________ Unbound-users
>> mailing list Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG/6xAAoJEJ9vHC1+BF+N1ZAQALHSFQTOvMw92FOaMUvIe9ai
8JEJ8taj09PBf6KOT4am3g+IzU4MSXgRzPpmUNa9obBpG+H0u9Bo01Tk1LjuH+vc
dYsVnixLGsR/WeEBwUGrCxDbppawCIbJTHR7lfB2CJ+mar+023CSyzle/xywcHCm
EdIh/4DwSiyZgsGlslTgNDfQagJ1+X0ZzQt07tGcUHCqS0pvp6oGcbH79FngDs1R
0TJvFse/bc6nJUMbVpcUfxkm7jCN1uzFaIP+IfPPZmSuxBFAF7vLhUM2085mOc1K
ZO+qUsMGVBg6lZTccCd33hwn+krT7XR1GeuiTsjeKEPFXNBFfivhWHi/fhezwPcg
V2AO2FJm2uF+gSr3Wv3mhxXJ/eL/His84b6hzsvvBraEmJBkY69bNzh3oc3bE9aH
Z/9YHvL+LjNppfwLzmkSKgjKvh24G9r4BWrBEcziTvfPiCLhduvBjjmhbFzyv/4L
Ev+J2U80zjNA2JVOpZhhcQWWrBOGlnhTIN+WsYrwMrUnBVnl8wAwCxHAZTKpA6Zv
Au1uN14sODU8qv6R5mEx87OUpUYIU1H3ziKI/KfyVogERVOb8g+rP8CDfuQbjDJe
FavwgA3fN5L8tovc0KAQKyFU+4GkQkz2Ie5LI4i+ehq3qReaOAQfI9LQrqhwX/e7
Isclh8gmrdfYgWpqpNlX
=0OGP
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users