You should be careful to validate the actual key that you add to the configuration, and not e.g. trust what you might find in a web site that doesn't use SSL (https) or that doesn't have secure management of its content. E.g. posting the actual key here is probably not wise, and it can change over time at any rate. The advice at the unbound site for "unbound-anchor" looks good, and when that command is securely available as part of an Ubuntu release it looks like that will be a good option. It looks like that has been enabled since unbound version 1.4.9-1 and is currently part of the Oneric release. See more at Debian bug #594911.
For bind9, follow Bug #782614 in bind9 (Ubuntu): “make configuring DNSSEC validation easier” for progress on making this process easier. It would seem to make sense to actually include the current key as part of the Ubuntu packaging of bind9, or add some sort of update mechanism like unbound-anchor, for the convenience and protection of the users.
Install and set up your nameserver (
bind9package) normally, and then just add the following stanza to/etc/bind/named.conf.options:Then restart the service (
sudo service bind9 restart).To make sure it is working, try to resolve "www.dnssec-failed.org", it should fail:
If it gives an IP address, then DNSSEC validation is not working.
You have a choice of at least two possible caching nameservers: bind9 and unbound.
Instructions on configuring and testing each of them with the current root key (first created in July of 2010) are in the Debian wiki:
You should be careful to validate the actual key that you add to the configuration, and not e.g. trust what you might find in a web site that doesn't use SSL (https) or that doesn't have secure management of its content. E.g. posting the actual key here is probably not wise, and it can change over time at any rate. The advice at the unbound site for "unbound-anchor" looks good, and when that command is securely available as part of an Ubuntu release it looks like that will be a good option. It looks like that has been enabled since unbound version 1.4.9-1 and is currently part of the Oneric release. See more at Debian bug #594911.
For bind9, follow Bug #782614 in bind9 (Ubuntu): “make configuring DNSSEC validation easier” for progress on making this process easier. It would seem to make sense to actually include the current key as part of the Ubuntu packaging of bind9, or add some sort of update mechanism like unbound-anchor, for the convenience and protection of the users.