Internal network with Private TLD and DNSSEC

Petr Menšík pemensik at redhat.com
Thu Apr 19 14:28:06 UTC 2018


Hi,

can you provide at least output of:

$ unbound-control list_forwards
$ dig +dnssec @localhost -t NS .
$ dig +dnssec @localhost -t NS example.local

It should work the way you described. But you provided very few details.
Note local. domain is reserved for different purpose, but it should not
be blocked by unbound 1.4.20.

You may also use temporary forward in unbound
$ unbound-control forward_add example.local <AD_IP>

Note any client that does also dnssec validation and uses this resolver
would require configuration of local zone trust anchor.

Can you describe what issues exactly do you have with this configuration?

Dne 17.4.2018 v 03:13 LNX1 via Unbound-users napsal(a):
> Hi,
> I am new to both unbound and DNSSEC.
> Trying to deploy unbound as local(127.0.0.1) recursive resolver on the
> CentOS 6.9 hosts.
> These hosts are in company's internal network, with limited outbound
> access to internet on ports 80, 443 and 25.
> Authoritative DNS servers for internal zone "example.local" are of
> type Active Directory DNS.
> Before unbound, /etc/resolv.conf was pointing to these AD DNS servers.
>  
> With unbound, I am now using 127.0.0.1 as my recursive resolver on
> CentOS hosts.
> I configured /etc/unbound/keys.d/trusted-key.key file with keys from AD DNS.
> I also configured /etc/unbound/conf.d/example.local.conf to forward
> queries for "example.local" to
> AD DNS servers.
>  
> With this I still have issues with respect to performing DNSSEC enabled
> lookups for outside hosts.
>  
> Can some one point me in the right direction on how to implement DNSSEC
> in such a scenario?
> All in all, I want to be able to utilize unbound and DNSSEC  for
> internal AD zone and external internet lookups.
>  
> Thank you.
>  
>  
>  
>  

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973



More information about the Unbound-users mailing list