Re: [Unbound-users] dnssec via forwarder

Thu, 02 Dec 2010 04:10:32 -0800 

Zitat von Andreas Schulze <[email protected]>:


Hello,

I have a remote system as resolver using unbound-1.4.7.
On my local system I configured unbound-1.4.7 also as forwarder to the remote system. 

--- snip
forward-zone:
        name: "."
        # 192.0.2.53 is the remote resolver
        forward-addr: 192.0.2.53
--- snap

Resolving at all works fine.
On my local system I have the The DNSSEC Validator Plugin from dnssec-validator.cz 
installed. If I configure this Plugin to use the remote server as Resolver
then the Plugin shows me a green label in Firefox for dnssec-validator.cz.
If I configure the Plugin to use the local Resolver, the Validatorplugin shows me 
a yellow label saying "The domain name is secured with DNSSEC technology,
 but the DNS server resolver used cannot verify the signature validity."

I'm unsure, if this is an Error in the Plugin or I have misconfigured
my forwarding unbound.

any hints ?

Thanks
Andreas


Hello

You could start by checking "by-hand" eg. with

dig @remote-resolver some-secured.site +dnssec

and

dig @local-resolver some-secured.site +dnssec

If you get the "ad" in the resulting dig output DNSSEC validation succeed.

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 dnssec-validator.cz A +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38884
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-validator.cz.           IN      A

;; ANSWER SECTION:
dnssec-validator.cz.    6829    IN      A       217.31.205.50
dnssec-validator.cz. 6829 IN RRSIG A 5 2 7200 20101214170301 20101130170301 29165 dnssec-validator.cz. BuwS/JyQDPYg3i8VHJslEOPSa/znhsOfne03I3RvyVx0cutXFj2a+ddc rEA0fC6abDZr3njhTlcwdJS11Mcl3ObHKGBY1445DaG8jUtncgAN1v+R MeN6S1QeJsTuyWuwrA7oOv66U8Okl6xXTX6Sn58AGdImIipetvSJW1fj t/M= 

;; AUTHORITY SECTION:
dnssec-validator.cz.    6822    IN      NS      d.ns.nic.cz.
dnssec-validator.cz.    6822    IN      NS      b.ns.nic.cz.
dnssec-validator.cz.    6822    IN      NS      a.ns.nic.cz.
dnssec-validator.cz. 6841 IN RRSIG NS 5 2 7200 20101214170301 20101130170301 29165 dnssec-validator.cz. HggDIcJc5TOozaazxWKg3KWo3EISMRsRH+ZLVR65nW9vE5zNrMaFYIPU lqwMDH390beC52WFJG0kRNzx/s7xxuZ8UW9oZsFEWUAuXZfC59xlsk+0 AzDN6FD/Q9MNqXBAZgfIlSdkkBZWMzXAJfaUj90PIvLJ0V2o+nluiFl4 4dw= 

Regards

Andreas



_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Reply via email to