Hi, I had a misunderstanding. drill is better than dig, I know, it was just an example of command.
In my conception, zones were auto signed by the daemon, Then I figured out this was a mistake. Zones are signed using tools, like dns-keygen, ldns-keygen and more. I was able to find LDNS and examples like ldns-keygen, ldns-signzone. Since I use C in my system, I was able to read the code and I could get perfect work. Only needed to create functions for my buffer, because I don't use struct FILE *. I made a sign function with user interaction and my beautiful interface. Then I know, I need the KSK and ZSK (key and private). Using these keys I read the zone and sign every RR. And done, zone signed! Changed the zonefile to the new one. Restart the service. After I put the DS in my registar. Thanks for the help. Em qua., 7 de jul. de 2021 às 11:10, Unbound <[email protected]> escreveu: > On 2021-07-07 02:32, Luiz Fernando Softov via Unbound-users wrote: > > Hi, I'm trying to configure a DNSSEC for an auth-zone > > But I can't find any doc about it. > > > > There is a way to enable DNSSEC for auth-zone or local-zone? > > > > Like a signed zone in BIND or NSD does? > > So, I can do a 'dig @ip-dns-server example.com +dnssec' > The command your looking for is "drill". :-) > # drill -h > drill version 1.7.0 (ldns version 1.7.0) > Written by NLnet Labs. > > Copyright (c) 2004-2008 NLnet Labs. > Licensed under the revised BSD license. > There is NO warranty; not even for MERCHANTABILITY or FITNESS > FOR A PARTICULAR PURPOSE. > Usage: drill name [@server] [type] [class] > <name> can be a domain name or an IP address (-x lookups) > <type> defaults to A > <class> defaults to IN > > arguments may be placed in random order > > Options: > -D enable DNSSEC (DO bit) > -T trace from the root down to <name> > -S chase signature(s) from <name> to a known key [*] > -I <address> source address to query from > -V <number> verbosity (0-5) > -Q quiet mode (overrules -V) > > -f file read packet from file and send it > -i file read packet from file and print it > -w file write answer packet to file > -q file write query packet to file > -h show this help > -v show version > > Query options: > -4 stay on ip4 > -6 stay on ip6 > -a fallback to EDNS0 and TCP if the answer is > truncated > -b <bufsize> use <bufsize> as the buffer size (defaults to 512 > b) > -c <file> use file for rescursive nameserver configuration > (/etc/resolv.conf) > -k <file> specify a file that contains a trusted DNSSEC key > [**] > Used to verify any signatures in the current > answer. > When DNSSEC enabled tracing (-TD) or signature > chasing (-S) and no key files are given, keys are > read > from: /etc/unbound/root.key > -o <mnemonic> set flags to: > [QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad] > lowercase: unset bit, uppercase: set bit > -p <port> use <port> as remote port number > -s show the DS RR for each key in a packet > -u send the query with udp (the default) > -x do a reverse lookup > when doing a secure trace: > -r <file> use file as root servers hint file > -t send the query with tcp (connected) > -d <domain> use domain as the start point for the trace > -y <name:key[:algo]> specify named base64 tsig key, and > optional an > algorithm (defaults to hmac-md5.sig-alg.reg.int) > -z don't randomize the nameservers before use > > [*] = enables/implies DNSSEC > [**] = can be given more than once > > [email protected] | http://www.nlnetlabs.nl/ldns/ > > # drill -TD host.some.domain > # drill -D @www.xxx.yyy.zzz host.some.domain > > HTH > > --Chris >
