Configuring Unbound ------------------- 1. Log in using SSH/Putty/... to your RESOLVER machine: (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org) $ ssh adm@10.10.X.3 Then become root $ sudo bash *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND *** *** NOT IN YOUR 'AUTH1' or 'AUTH2' *** Check the hostname is set up correctly as in the previous exercises. 2. On your RESOLVer machine (which you just logged into # cd /usr/local/etc/unbound/ Now, you have TWO choices. You can either create the unbound.conf from nothing, using the example below (option I), or, if you feel comfortable you can edit the file `unbound.conf` by hand, and make the changes. The easiest is option I - your choice! Option I: If you want to save time: Create the file unbound.conf, and copy and paste the data below: --------------------------- copy below here ----------------------------- server: verbosity: 1 # specify the interfaces to answer queries from by ip-address. interface: 0.0.0.0 # control which clients are allowed to make (recursive) queries access-control: 10.10.0.0/16 allow # If you give "" no chroot is performed. The path must not end in a /. chroot: "" # file to read root hints from. root-hints: "/usr/local/etc/unbound/named.root" # a number of locally served zones can be configured. local-zone: "10.10.in-addr.arpa." nodefault remote-control: # Enable remote control with unbound-control(8) here. control-enable: yes # what interfaces are listened to for remote control. control-interface: 0.0.0.0 # port number for remote control operations. control-port: 953 # unbound control files server-key-file: "/usr/local/etc/unbound/unbound_server.key" server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" control-key-file: "/usr/local/etc/unbound/unbound_control.key" control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" --------------------------- copy above here ----------------------------- Option II: If you'd rather make the changes yourself... Otherwise skip to the next step! $ sudo cp unbound.conf.sample unbound.conf NOTE: Here, remember to use your favorite editor: ee, jed, joe, vi, ... $ sudo ee unbound.conf or $ sudo vi unbound.conf ... and make the following changes: a) enable listening - find the lines with: # interface: ... # interface: ... and just under, add this line: interface: 0.0.0.0 b) access control - find the lines with: # access-control: ... # access-control: ... and just under, add this line: access-control: 10.10.0.0/16 allow c) chroot security - find the line # chroot: "/usr/local/etc/unbound" and just under, add this line: chroot: "" NOTE: We would normally not turn off chroot, which is a security mechanism, but we need to do this here in the lab, because of restrictions from the virtualization environment. In a production environment, we wouldn't do this. d) set the root-hints file - find the line with: # root-hints: "" and just under, add this line: root-hints: "/usr/local/etc/unbound/named.root" e) re-enable the 10.10.in-addr.arpa zone - find the line with: # local-data-ptr: "192.0.2.3 www.example.com" and just under, add this line: local-zone: "10.10.in-addr.arpa." nodefault f) enable remote control - find the line with: # control-enable: no and CHANGE it (by removing # in front) to: control-enable: yes - find the line with: # control-interface: 127.0.0.1 and CHANGE it to: control-interface: 0.0.0.0 - find the line with: # control-port: 8953 and CHANGE it to: control-port: 953 - finally, uncomment the 4 following lines: # server-key-file: "/usr/local/etc/unbound/unbound_server.key" becomes server-key-file: "/usr/local/etc/unbound/unbound_server.key" # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" becomes server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" # control-key-file: "/usr/local/etc/unbound/unbound_control.key" becomes control-key-file: "/usr/local/etc/unbound/unbound_control.key" # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" becomes control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" Save the file, exit. You still need to copy named.root root hints file where unbound can find it. # cd /usr/local/etc/unbound # cp /etc/namedb/named.root . 3. Create the control keys: # unbound-control-setup 4. Test the configuration: # unbound-checkconf 5. edit /etc/rc.conf and add: unbound_enable="YES" 6. start unbound! # service unbound start Check to see if it is running. # ps ax You may have to run this again to start. 7. Test $ dig @10.10.X.3 $ dig noc.ws.nsrc.org @10.10.X.3 Make sure you see SERVER: ...(10.10.XX.3) at the bottom of dig's output. $ dig version.bind txt chaos @10.10.X.3 What does the output say ? 8. Enable DNSSEC validation Try to do some DNSSEC lookups. $ dig +dnssec @10.10.X.3 -t dnskey . Note the "flags: ..." response. Try the class resolver: $ dig +dnssec @10.10.0.230 -t dnskey . Note the lack of "ad" flag. Edit unbound.conf. - In the "server:" section, before the "remote-control:" section add: trust-anchor: ". DNSKEY 257 3 8 AwEAAc3PS/ln9ICSWGS5E9zCZez5sH5EJsqUbbL0V8+RZsQbpYI1L87gKHVCZgRgCfb1R1Vu+DcbIt6In/B5nvLaIZAe6lcx40Jt+Stm/PvES8YGVcJ9ndeCsp9xadFN5rGNa+pm536xOSm4LizWXvi+ibfsaIGOfUDIYClyHo1xChlGxbomw+tM1AgmKN8GketMGfGQGL03A1Vbeqe8n/cgEp5uC7ifAunAaHzW8R41t29aHyM3LYSyhqhboRbzyeO9FBPOy1r8oz7lJXeA9swBYiUo7p4ExdK+Ln9SUCb7UPnSqXRO/AwmhZr21JiSDzO9ggCYrbMZ37HXguiTBRg5bMU=" YES! That is one long unbroken line. This is the class DNSSEC root zone key. It is available on the monitor.dnssek.org web site at the top of the page. You can also get this by executing: $ dig . dnskey @a.root-servers.net and using "DNSKEY 257 3 8 Aw....." You must get this exactly right. Notice that you must remove any superfulous DNS fields like TTL and "IN" etc. Execute # service unbound restart Then try it! $ dig +dnssec @10.10.X.3 -t dnskey . $ dig +dnssec @10.10.X.3 www.mytld Thats it. Your resolver is now supports DNSSEC validation.