[Unbound-users] DNSSEC Validation

Discussion:

Abdalmonem Tharwat Galila

2014-09-17 16:43:43 UTC

Permalink

Hi ,
How can I add my local zone to be DNSSEC validated in unbound ?

Sent from my iPhone

Abdalmonem Tharwat Galila

2014-09-18 18:51:02 UTC

Permalink

Any update !!!

Sent from my iPhone

> On Sep 17, 2014, at 7:43 PM, Abdalmonem Tharwat Galila <***@mcit.gov.eg> wrote:
>
> Hi ,
> How can I add my local zone to be DNSSEC validated in unbound ?
>
> Sent from my iPhone

W.C.A. Wijngaards

2014-09-19 07:01:08 UTC

Permalink

Hi Adbalmonem,

You need to sign your zone. Then load the public key into unbound
(with trust-anchor-file: "myfile" and myfile is a text file with the
DNS resource records for the zone public key in it, you could simply
copy them from the zonefile).

Best regards,
Wouter

On 09/18/2014 08:51 PM, Abdalmonem Tharwat Galila wrote:
> Any update !!!
>
> Sent from my iPhone
>
>> On Sep 17, 2014, at 7:43 PM, Abdalmonem Tharwat Galila
>> <***@mcit.gov.eg> wrote:
>>
>> Hi , How can I add my local zone to be DNSSEC validated in
>> unbound ?
>>
>> Sent from my iPhone
> _______________________________________________ Unbound-users
> mailing list Unbound-***@unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>

W.C.A. Wijngaards

2014-09-19 10:00:17 UTC

Permalink

Hi Abdelmeniem,

Copy the DS record in a text file:
echo " .... DS record ... " > mykeyfile

Change unbound.conf:
trust-anchor-file: "mykeyfile"

restart unbound.

Best regards,
Wouter

On 09/19/2014 11:14 AM, Abdelmeniem Tharwat wrote:
> I am already signed my zone , and have a DS record , but can not
> know how to upload this DS to unbound ? and How to add my zone to
> UnBound ? Could you explain this step by step ? I am using Red-Hat
> Linux. Thnx alot
>
>
> -----Original Message----- From: Unbound-users on behalf of W.C.A.
> Wijngaards Sent: Fri 19/09/2014 09:01 AM To:
> unbound-***@unbound.net Subject: Re: [Unbound-users] DNSSEC
> Validation
>
> Hi Adbalmonem,
>
> You need to sign your zone. Then load the public key into unbound
> (with trust-anchor-file: "myfile" and myfile is a text file with
> the DNS resource records for the zone public key in it, you could
> simply copy them from the zonefile).
>
> Best regards, Wouter
>
> On 09/18/2014 08:51 PM, Abdalmonem Tharwat Galila wrote:
>> Any update !!!
>
>> Sent from my iPhone
>
>>> On Sep 17, 2014, at 7:43 PM, Abdalmonem Tharwat Galila
>>> <***@mcit.gov.eg> wrote:
>>>
>>> Hi , How can I add my local zone to be DNSSEC validated in
>>> unbound ?
>>>
>>> Sent from my iPhone
>> _______________________________________________ Unbound-users
>> mailing list Unbound-***@unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> _______________________________________________ Unbound-users
> mailing list Unbound-***@unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>

Abdalmonem Tharwat Galila

2014-09-19 11:15:00 UTC

Permalink

Server No 1 for UnBound "172.16.96.196":-

I am already add
trust-anchor: "myTLD. IN DS 18016 7 2 C160C68025F1909143A28296355EA3999B98A1D10752124154UC84BC 4DE82627"

service unbound restart >>> ok

Server No 2 for UnBound :-

This server contain the signed zone add to named.conf , i edited /etc/resolv.conf to point to the server no 1 "nameserver -------- ".
when i try to dig myDOmain.myTLD "A record" ,

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +dnssec myDOmain.myTLD +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50746
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;myDOmain.myTLD. IN A

;; Query time: 0 msec
;; SERVER: 172.16.96.196#53(172.16.96.196)
;; WHEN: Fri Sep 19 14:11:40 2014
;; MSG SIZE rcvd: 49

Could you advise ?
Really appreciate your replay.

________________________________________
From: Unbound-users [unbound-users-***@unbound.net] on behalf of W.C.A. Wijngaards [***@nlnetlabs.nl]
Sent: Friday, September 19, 2014 1:00 PM
To: Abdelmeniem Tharwat; unbound-***@unbound.net
Subject: Re: [Unbound-users] DNSSEC Validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Abdelmeniem,

Copy the DS record in a text file:
echo " .... DS record ... " > mykeyfile

Change unbound.conf:
trust-anchor-file: "mykeyfile"

restart unbound.

Best regards,
Wouter

On 09/19/2014 11:14 AM, Abdelmeniem Tharwat wrote:
> I am already signed my zone , and have a DS record , but can not
> know how to upload this DS to unbound ? and How to add my zone to
> UnBound ? Could you explain this step by step ? I am using Red-Hat
> Linux. Thnx alot
>
>
> -----Original Message----- From: Unbound-users on behalf of W.C.A.
> Wijngaards Sent: Fri 19/09/2014 09:01 AM To:
> unbound-***@unbound.net Subject: Re: [Unbound-users] DNSSEC
> Validation
>
> Hi Adbalmonem,
>
> You need to sign your zone. Then load the public key into unbound
> (with trust-anchor-file: "myfile" and myfile is a text file with
> the DNS resource records for the zone public key in it, you could
> simply copy them from the zonefile).
>
> Best regards, Wouter
>
> On 09/18/2014 08:51 PM, Abdalmonem Tharwat Galila wrote:
>> Any update !!!
>
>> Sent from my iPhone
>
>>> On Sep 17, 2014, at 7:43 PM, Abdalmonem Tharwat Galila
>>> <***@mcit.gov.eg> wrote:
>>>
>>> Hi , How can I add my local zone to be DNSSEC validated in
>>> unbound ?
>>>
>>> Sent from my iPhone
>> _______________________________________________ Unbound-users
>> mailing list Unbound-***@unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> _______________________________________________ Unbound-users
> mailing list Unbound-***@unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>