Configuring Unbound
-------------------

1. Unbound just works after installation under Ubuntu.

   It has alreadt been installed (apt-get install unbound) on your NOC
   machine at 10.X.2.1.  To enable and start:

    $ ssh tldadmin@10.X.2.1
    
    Then become root

    $ sudo bash

    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'NOC' MACHINE, AND ***
                  *** NOT IN YOUR 'AUTH1' ***
				  
2. On your NOC machine (which you just logged into)

    # update-rc.d unbound enable

    # service unbound start

3. Test

    Unbound is setup by default to only listen to the local loop back
    addresses 127.0.0.1.  See "man unbound.conf" and /etc/unbound/unbound.conf
    if you would like to modify this default behavior.
    
    $ dig @127.0.0.1
    $ dig noc.ws.nsrc.org @127.0.0.1

        Make sure you see SERVER: ...(127.0.0.1) at the bottom of
        dig's output.

    $ dig version.bind txt chaos @127.0.0.1

    What does the output say ?

    DNSSEC is enabled by default and Unbound securely fetches the
    root key from ICANN.

    Try to do some DNSSEC lookups.

    $ dig +dnssec @127.0.0.1 -t dnskey .

    Note the "flags: ..." response.

    Try the class resolver:

    $ dig +dnssec @10.192.0.230 -t dnskey .

    Note that we are "seeing" the REAL Internet since unbound
    is using the default root.hints nameservers and not the
    classroom one.

     $ dig +dnssec @127.0.0.1 www.MYTLD

     Should not return an ANSWER section. But...

     $ dig +dnssec @127.0.0.1 www.kirei.se

     would with the "ad" bit set.

4. Once done testing you may wish to disable Unbound on the NOC

     # update-rc.d unbound disable

     # service unbound stop