Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== DNSSEC Validation ====== DNSSEC is a mechanism that prevents DNS forgeries that could potentially redirect you or your Tier 2 users to malicious sites. ===== Tier 2 Configuration ===== FIXME We're looking for guides for other DNS software, contributions welcome! Tier 2 providers may enable DNSSEC validation by following the guide(s) below, corresponding to their DNS software. Please note that in each case, the keys need to be manually defined in your configuration, and **will need to be updated each time the root key changes**. Servers providing this service will need to stay up-to-date on the mailing list to ensure they remain in service. ==== BIND9 ==== The file paths in this guide are the defaults on many systems including Ubuntu and Debian, but may need to be modified to suit your configuration. 1. Create the file ''/etc/bind/named.conf.keys'' with the following content: <file - named.conf.keys> trust-anchors { . initial-key 257 3 8 "AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+ Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX"; }; </file> > :!: Don't just blindly copy this wiki page, ensure the key matches the current root zone's ''DNSKEY'': > > <code> dig DNSKEY . @195.201.99.61 +short </code> > <code> 256 3 8 AwEAAeXw6/FhGTrrrowgiK/4mWwP76JM/Np6FwHmQ+Qn73wdOWT0d189 gkNeVNTVyQNU+q+MBnJ01OFbgQqsey6pd2OjAD5i8pDqZz/0zS7z70Uv eScfqLv08n8qoZOsv7QhytVE9qGqfXgeeGPUctOeqfdlJN/NXnU7crBT 6AxLg1FChV1m3dOcJwCW72XPi/Mbo9dsJSgbWZmVGCILBEQjVa13K4lt roHibq/1kUvmei0TLpzDpwu9OG3m50tAa+JTyId2vqopbCqEk2rQspQ/ TbewkG2jF7TRvDZbRje8Z2eA2HLW3ClrlIFBcyv/0NqrFH9CJCR2g2Mu a77etVdrgUE= 257 3 8 AwEAAbtbsu+wl3fbEDbgvMgJ1BDXeAk5t6BU7B1KGVvc13zMJtjvarxp WWrAb7fmWERX8kJawa3KpYty0EDFQ24nfQyhwEOld442ca89u4/ZU3jP uwKohbGn55vIQ7KjCIrDNvRYjGVn2MNwZnL4WVVclJYsa1cGwVQ9t575 I5yvU+5g+jVcjUsGwFn6xmuJC0Z33ABKsC8b1cjfcnvE4wP3CrXOlDQ+ Er4uPUtMKrmG+Sj1Bm5U+do78mwEXOlTz/sNj8tkpL0pYB2j+XNaDVrO 0uS1beekejnttMsC4SHMCsiwMvigW2O54ByhzijU2v87d7U9WEMVfPvO 6gearg1fo/1Tk4buzPZcS+W9WZgFAt7kT1ois3x0GGT7J55zENB9IZU4 tMmWdYbZJOZsdAzmshuWJIUlTZdNN5671Rhc6P9TWnMlvb9iNT7G3DZ9 PhBw1OF/OmmXobv3Wygbt5+u7q2CPPzwU4WTGpVNtr3Iry2SPW3XVpJS M3+nW7LfxxtWZJlN4MDQYC5IptU+A5EO80/yE38E9tKGDWC1+Nw59QLa BE7ff+Jkq7OMjTHjFhYivkJSv+8LEbkGjWoaMAS2CT3/ZVMYLiQn8THi ZUBF+aOzJMw0EGPag1Qq4vfGgFkQMM3hOaH6bWN1yCvmspuiwLYkNCZZ /l8ThKc57bGYy9TX </code> 2. Add ''dnssec-validation yes;'' to ''/etc/bind/named.conf.options'', replacing ''dnssec-validation auto;'' if it already exists: <code> options { directory "/var/cache/bind"; dnssec-validation yes; notify yes; recursion yes; allow-query { any; }; allow-transfer { any; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; </code> 3. Add the line ''include "/etc/bind/named.conf.keys";'' to ''/etc/bind/named.conf'' **above** all other ''include'' lines. Your final ''named.conf'' file should look something like this: <code> include "/etc/bind/named.conf.keys"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.opennic"; </code> 4. Restart BIND: ''systemctl restart bind9'' ==== PowerDNS Recursor ==== Create ''/etc/powerdns/config.lua'' with the following content: <file lua config.lua> addDS('.', "60820 8 2 A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538") </file> Add the following lines to ''/etc/powerdns/recursor.conf'': <code> lua-config-file=/etc/powerdns/config.lua dnssec=log-fail </code> Note that this will validate correctly, but will only log bogus domains instead of returning ''SERVFAIL''. This is fine in the DNSSEC testing period, but for full DNSSEC compliance, ''dnssec'' should be changed from ''log-fail'' to ''validate''. Restart PowerDNS: ''systemctl restart pdns-recursor'' ==== dnsmasq ==== Add the following lines to your ''dnsmasq.conf'' file: <code> dnssec trust-anchor=.,60820,8,2,A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538 </code> ==== Unbound ==== 1. Generate the ''/etc/unbound/opennic.dnskey'' file: <code> dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey </code> 2. Edit ''/etc/unbound/unbound.conf'' and set the attribute ''auto-trust-anchor-file'' with the ''opennic.dnskey'' file: <code> auto-trust-anchor-file: "opennic.dnskey" </code> 3. Restart Unbound: ''systemctl restart unbound'' ===== Testing DNSSEC ===== Queries to a DNSSEC validating server with the DO flag set should return an answer with the ''ad'' (Authenticated Data) flag set in the header: <code> root@korridor:~# dig pir.org +dnssec +multi @46.102.156.180 ; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> pir.org +dnssec +multi @46.102.156.180 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22885 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65494 ; COOKIE: 641abe6c795889030100000069f2434e9c48eb04cf870e99 (good) ;; QUESTION SECTION: ;pir.org. IN A ;; ANSWER SECTION: pir.org. 299 IN A 141.193.213.20 pir.org. 299 IN A 141.193.213.21 pir.org. 299 IN RRSIG A 5 2 300 ( 20260512204001 20260428204001 42621 pir.org. FnApY4+UtOcd3InElCd8W9+q8koa8vw5qt68ZETv+EcN ZnTzUm2qW+9AqE7R0YfS2ZBs9c9fn65CuFsRr+ynEyI/ OyekiTuLZhmgZjLR5bSlUi1dGPA0G1EUdBrZvaxJGb3z UYcjWXGoi6zhX7vqzuFwJ0VN7B0aYhQnyvU+0v8= ) ;; Query time: 735 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Apr 29 19:43:42 CEST 2026 ;; MSG SIZE rcvd: 263 </code> On these servers, attempting to resolve a domain with broken DNSSEC validation should return a ''SERVFAIL'', without any DNS data: <code> root@korridor:~# dig dnssec-failed.org +dnssec +multi @46.102.156.180 ; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> dnssec-failed.org +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36673 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65494 ; COOKIE: dd4e47674a1c21f40100000069f24389ffb0f254c877cb94 (good) ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 1555 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Apr 29 19:44:41 CEST 2026 ;; MSG SIZE rcvd: 74 </code> And finally, requesting a domain with no DNSSEC data should just return a normal response, with no ''ad'' flag: <code> root@korridor:~# dig google.com +dnssec +multi @46.102.156.180 ; <<>> DiG 9.20.21-1~deb13u1-Debian <<>> google.com +dnssec +multi @46.102.156.180 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15620 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 19b6c445faa8b2370100000069f2442a56ff0168fadfb041 (good) ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 285 IN A 142.251.38.142 ;; Query time: 3 msec ;; SERVER: 46.102.156.180#53(46.102.156.180) (UDP) ;; WHEN: Wed Apr 29 19:47:22 CEST 2026 ;; MSG SIZE rcvd: 83 </code> /wiki/data/pages/opennic/dnssec.txt Last modified: 5 days agoby joestr1