Differences

This shows you the differences between two versions of the page.

--- opennic:dnssec [2018-04-16T19:49:31Z] – created jonaharagon
+++ opennic:dnssec [2022-01-22T16:55:23Z] (current) – Add Unbound configuration Jeremy
@@ Line 39: / Line 39: @@
 >
 > <code>
-dig DNSKEY . @45.56.116.224 +short
+dig DNSKEY . @195.201.99.61 +short
 </code>
 > <code>
@@ Line 72: / Line 72: @@
 . Restart BIND: ''systemctl restart bind9''
+==== PowerDNS Recursor ====
+Create ''/etc/powerdns/config.lua'' with the following content:
+<file lua config.lua>
+addDS('.', "47089 8 2 6D81988A88BD546E429486CC0A97518F90F9FC6C6C6B7E5BC2788469858C7324")
+</file>
+Add the following lines to ''/etc/powerdns/recursor.conf'':
+<code>
+lua-config-file=/etc/powerdns/config.lua
+dnssec=log-fail
+</code>
+Note that this will validate correctly, but will only log bogus domains instead of returning ''SERVFAIL''. This is fine in the DNSSEC testing period, but for full DNSSEC compliance, ''dnssec'' should be changed from ''log-fail'' to ''validate''.
+Restart PowerDNS: ''systemctl restart pdns-recursor''
 ==== dnsmasq ====
@@ Line 82: / Line 101: @@
 trust-anchor=.,47089,8,2,6d81988a88bd546e429486cc0a97518f90f9fc6c6c6b7e5bc2788469858c7324
 </code>
+==== Unbound ====
+. Generate the ''/etc/unbound/opennic.dnskey'' file:
+<code>
+dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey
+</code>
+. Edit ''/etc/unbound/unbound.conf'' and set the attribute ''auto-trust-anchor-file'' with the ''opennic.dnskey'' file:
+<code>
+auto-trust-anchor-file: "opennic.dnskey"
+</code>
+. Restart Unbound: ''systemctl restart unbound''
 ===== Testing DNSSEC =====