Re: DNSSEC auth-zone

Unbound via Unbound-users Wed, 07 Jul 2021 08:10:32 -0700

On 2021-07-07 02:32, Luiz Fernando Softov via Unbound-users wrote:

Hi, I'm trying to configure a DNSSEC for an auth-zone
But I can't find any doc about it.


There is a way to enable DNSSEC for auth-zone or local-zone?

Like a signed zone in BIND or NSD does?
So, I can do a 'dig @ip-dns-server example.com +dnssec'

The command your looking for is "drill". :-)
# drill -h
drill version 1.7.0 (ldns version 1.7.0)
Written by NLnet Labs.

Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
  Usage: drill name [@server] [type] [class]
        <name>  can be a domain name or an IP address (-x lookups)
        <type>  defaults to A
        <class> defaults to IN

        arguments may be placed in random order

  Options:
        -D              enable DNSSEC (DO bit)
        -T              trace from the root down to <name>
        -S              chase signature(s) from <name> to a known key [*]
        -I <address>      source address to query from
        -V <number>       verbosity (0-5)
        -Q              quiet mode (overrules -V)

        -f file         read packet from file and send it
        -i file         read packet from file and print it
        -w file         write answer packet to file
        -q file         write query packet to file
        -h              show this help
        -v              show version

  Query options:
        -4              stay on ip4
        -6              stay on ip6
        -a              fallback to EDNS0 and TCP if the answer is truncated
        -b <bufsize>      use <bufsize> as the buffer size (defaults to 512 b)
        -c <file> use file for rescursive nameserver configuration
                        (/etc/resolv.conf)
        -k <file> specify a file that contains a trusted DNSSEC key [**]
                        Used to verify any signatures in the current answer.
                        When DNSSEC enabled tracing (-TD) or signature
                        chasing (-S) and no key files are given, keys are read
                        from: /etc/unbound/root.key
        -o <mnemonic>     set flags to:
                        [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]
                        lowercase: unset bit, uppercase: set bit
        -p <port> use <port> as remote port number
        -s              show the DS RR for each key in a packet
        -u              send the query with udp (the default)
        -x              do a reverse lookup
        when doing a secure trace:
        -r <file> use file as root servers hint file
        -t              send the query with tcp (connected)
        -d <domain>       use domain as the start point for the trace
        -y <name:key[:algo]>      specify named base64 tsig key, and optional an
                        algorithm (defaults to hmac-md5.sig-alg.reg.int)
        -z              don't randomize the nameservers before use

  [*] = enables/implies DNSSEC
  [**] = can be given more than once

  [email protected] | http://www.nlnetlabs.nl/ldns/

# drill -TD host.some.domain
# drill -D @www.xxx.yyy.zzz host.some.domain

HTH

--Chris

Re: DNSSEC auth-zone

Reply via email to