In fact I am an ISC-Fanboy and so I’ve been using BIND since I can remember. Never taken a look at different Nameservers up until a few weeks ago. A few weeks ago I did setup Unbound as resolver to take a look on how it performs and how easy it is to set it up. However, this post is just about how to setup that stuff and make sure it does DNSSEC.
BIND
/etc/bind/named.conf.acl
I do use this file to define a few hosts and networks which are allowed to use my DNS as resolver.
acl mynetworks { network1/26; network2/27; ip1/32; ip6/128; localhost; localnets; };
/etc/bind/named.conf.keys
This file is used for the root DNSSEC key.
managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
Hint: only with Bind 9.7 and newer, see: Using the root DNSSEC key in BIND 9 resolvers
/etc/bind/named.conf.options
In this file I do set the working directory, enable dnssec and dnssec-validation. I do disable recursion because I’ll enable that for a specific view later.
options { directory "/var/cache/bind"; dnssec-enable yes; dnssec-validation yes; recursion no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
/etc/bind/named.conf.views
So this file shows you how I do use views to split the resolver into internal clients (those in mynetworks which are allowed to use this resolver) and external ones (which are not). I believe there was a reason why I did set additional-from-auth and additional-from-cache to yes, but actually I don’t remember, so you might want to remove those two.
view "internal" in { match-clients { mynetworks; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query-cache { any; }; allow-query { any; }; include "/etc/bind/named.conf.default-zones"; }; view "external" in { match-clients { any; }; recursion no; allow-recursion { none; }; };
/etc/bind/named.conf
The named.conf just puts everything together by loading the above configuration files
include "/etc/bind/named.conf.keys"; include "/etc/bind/named.conf.acl"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.views";
Unbound
/etc/unbound/unbound.conf
The configuration for unbound is pretty simple. You might remove all the stuff below ‚#use all cpus‘ and take a proper look at optimizing unbound. The documentation is pretty nice in that regard.
server:
interface: 0.0.0.0
interface: ::0
access-control: network1/27 allow
access-control: network2/26 allow
access-control: ip1/32 allow
access-control: ip6/128 allow
verbosity: 1
# use all cpus
num-threads: 2
# faster udp with multithreading
so-reuseport: yes
# libevent
outgoing-range: 8192
num-queries-per-thread: 4096
# statistics
statistics-interval: 3600
extended-statistics: yes/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
The important part to make it DNSSEC-aware is to use the root-anchor file. In Debian Unbound already contains that
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"Verification
I’ve just added DNSSEC to my blog domain so let’s check
Unbound
root@dns-de2:~# dig @127.0.0.1 jeanbruenn.info. A +dnssec +multiline ; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @127.0.0.1 jeanbruenn.info. A +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36082 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;jeanbruenn.info. IN A ;; ANSWER SECTION: jeanbruenn.info. 1200 IN A 84.201.38.2 jeanbruenn.info. 1200 IN RRSIG A 13 2 1200 ( 20170516223345 20170416220032 21415 jeanbruenn.info. vYKRPbv82/OS3Z4BGRuS73Pmt4/ZYFw5/u1hby5l1bPL nJhOQ0qguelqV+QfSliCdMeuup/yfT5WqJ3Xy37Cjg== ) ;; Query time: 1174 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Apr 17 12:21:08 CEST 2017 ;; MSG SIZE rcvd: 331
Just removed the Authoritative Data from the above output. The important bits are:
- Authenticated Data Flag in the Headers: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
- The DNSSEC OK (do) flag: ; EDNS: version: 0, flags: do; udp: 4096
- There should be a RRSIG record with the same name as the A Record
BIND
Let’s check if the BIND-resolver gets the same results
root@resolver1:~# dig @127.0.0.1 jeanbruenn.info. A +dnssec +multiline ; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> @127.0.0.1 jeanbruenn.info. A +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59494 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;jeanbruenn.info. IN A ;; ANSWER SECTION: jeanbruenn.info. 227 IN A 84.201.38.2 jeanbruenn.info. 227 IN RRSIG A 13 2 1200 ( 20170516223345 20170416220032 21415 jeanbruenn.info. vYKRPbv82/OS3Z4BGRuS73Pmt4/ZYFw5/u1hby5l1bPL nJhOQ0qguelqV+QfSliCdMeuup/yfT5WqJ3Xy37Cjg== ) ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Apr 17 06:28:04 EDT 2017 ;; MSG SIZE rcvd: 171
- AD-flag: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
- DO-flag: ; EDNS: version: 0, flags: do; udp: 4096
- RRSIG: jeanbruenn.info. 227 IN RRSIG A 13 2 1200 (
So it pretty much works. You should make sure that there are _only_ DNSSEC-enabled resolvers in your /etc/resolv.conf.
No Comments