# start with a pristine lenny echo "This messes with your system. Proceed [y/N]" && read ans; [ "$ans" = "y" ] || exit apt-get install -y bind9 dnsutils && : && cd /etc && patch -l -p0 << EOF && --- bind.old/named.conf.local 2010-12-10 00:48:35.000000000 +0100 +++ bind/named.conf.local 2011-01-19 10:26:42.000000000 +0100 @@ -6,3 +6,4 @@ // organization //include "/etc/bind/zones.rfc1918"; +include "/etc/bind/named.conf.trusted-keys"; --- bind.old/named.conf.options 2010-12-10 00:48:35.000000000 +0100 +++ bind/named.conf.options 2011-01-19 10:26:56.000000000 +0100 @@ -16,5 +16,23 @@ auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; + + dnssec-enable yes; + dnssec-validation yes; + + dnssec-lookaside . trust-anchor dlv.isc.org.; +}; + +logging { + channel dnssec_log { + file "/var/log/bind9/dnssec.log" versions 5 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity debug 3; + }; + category dnssec { + dnssec_log; + }; }; --- bind.old/named.conf.trusted-keys 1970-01-01 01:00:00.000000000 +0100 +++ bind/named.conf.trusted-keys 2011-01-19 10:17:56.000000000 +0100 @@ -0,0 +1,10 @@ +trusted-keys { + dlv.isc.org. 257 3 5 " + BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; +}; EOF : && install -d -g bind -m 775 /var/log/bind9 && cd / && env -i /etc/init.d/bind9 restart && : && dig +dnssec @localhost -t ns debian.org && sleep 10 && # so we can easility tell later which request is which in the log dig +dnssec @localhost -t ns www.debian.org /etc/init.d/bind9 stop # then: cat /var/log/bind9/dnssec.log