Documentation

Tutorial for Unbound Library

• 1. Resolve a name
• 2. Setup the context
• 3. Examine the results
• 4. Asynchronous lookup
• 5. Lookup from threads
• 6. DNSSEC validate

Manual Pages

• unbound(8)
• unbound-checkconf(8)
• unbound.conf(5)
• unbound-host(1)
• libunbound(3)
• unbound-control(8)

Guides

• HowTo Setup and Install
• HowTo Enable DNSSEC
• HowTo Disable DNSSEC
• HowTo Use IANA ITAR
• HowTo Optimise
• HowTo Statistics
• Windows manual(pdf)

Developers

• Internals doxygen documentation
• Python libunbound docs
• Python module docs
• IETF67 presentation (2006)
• RIPE56 presentation (2008)

Background

• Press Release 20may08
• Requirements document
• Java Prototype
• Vulnerability statement july08
• Patch 1.0.2 announcement
• book news item 08dec08

Maintained by: NLnet Labs

Unbound: Howto Use IANA ITAR

By W.C.A. Wijngaards, NLnet Labs, February 2009.

Just recently IANA published an Interim Trust Anchor Repository, the IANA ITAR. It contains DNSSEC keys for the top level domains (.se, .br, ...) that are signed, obtained using their existing relationship with them for arranging the normal DNS delegations for these top level domains. This guide explains how to use the IANA ITAR with unbound.

Using DLV

The easiest way is to turn on DLV. The ISC DLV maintainers have expressed the intent to automatically import the IANA ITAR contents into their DLV repository, and to keep that updated. Additionally the DLV contains many other DNSSEC keys for various domains.

To enable the ISC DLV download their DNSSEC key. Save it to /usr/local/etc/unbound/dlv.isc.org.key (or /etc/unbound or whereever your unbound is installed). You can also get the key with dig dlv.isc.org DNSKEY | grep 257 > dlv.isc.org.key.

Then put this line into /etc/unbound/unbound.conf (or /usr/local/etc/unbound/unbound.conf), somewhere after the server: line.

# File with DLV trusted keys. dlv-anchor-file: "dlv.isc.org.key"

This configures unbound to use ISC DLV and which contains the IANA ITAR.

Using ITAR Master File

The IANA ITAR publishes a master file with the records for the top level domains. It is regularly updated with changes, so some automated way to pick up changes, say once a month, is needed. I've made such a script, and set it up for us locally.

Get the script from the unbound tarball (in contrib/), or from the svn repo update-itar.sh. (right click, save-as, then chmod +x update-itar.sh to make it executable).

This script fetches the key file and verifies the contents with the IANA ITAR public PGP key. It prints differences (so changes are visible in cron mail). You can configure it to use other PGP keys or trust anchor repositories, simply edit the shell file variables at the top. The PGP key for IANA ITAR comes distributed and is used by default. It picks up new keys, removed keys, or even if all keys are removed a zone goes back to unsigned (if the zone decides to go back to unsigned).

Install it, copy the script somewhere, the below assumes your unbound works in /usr/local/etc/unbound. Copy the script to /usr/local/etc/unbound/update-itar.sh. In your unbound.conf insert the following line

trust-anchor-file: "/usr/local/etc/unbound/anchors.mf"

You can keep your existing trust anchor definitions if you want, they only add new trust, and do not remove it.

Try the script manually, as root do:

$ cd /usr/local/etc/unbound $ ./update-itar.sh

This should work and unbound-checkconf should have no errors. Then you can do unbound-control reload.

Now make a cron job that does:

cd /usr/local/etc/unbound; ./update-itar.sh && unbound-control reload

Then you can dig cz SOA +dnssec, and see if the ad flag is there.