DNSSEC
DNSSEC (Domain Name System Security Extensions) attempts to add security to DNS while maintaining backward compatibility. DNSSEC is a best current practice and it should be used whenever possible to help mitigate known attacks on DNS.
This tutorial assumes the following:
- Your OpenBSD machine has Internet connectivity.
- Unbound is enabled and functional.
- All
forward-zonesections in unbound.conf(5) have been commented out or deleted.
Enable DNSSEC
Create the trust anchor
Use unbound-anchor(8) to create the initial trust anchor in /var/unbound/db/root.key.
$ doas -u _unbound unbound-anchor
Ideally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone (".") onward. See Trust Anchors and Keys and get-trust-anchor for more details on verification.
Verify DNSSEC is enabled
Ensure that auto-trust-anchor-file is present somewhere in the server block in /var/unbound/etc/unbound.conf and that it points to /var/unbound/db/root.key. Also, aggressive-nsec should be commented, absent, or set to yes.
server: # ... other stuff auto-trust-anchor-file: "/var/unbound/db/root.key" aggressive-nsec: yes
Restart/Reload Unbound
Restart Unbound so that it uses the new settings.
# rcctl restart unbound unbound(ok) unbound(ok)
Another option is to reload with unbound-control(8).
# unbound-control reload ok
Test DNSSEC
You can use unbound-host(1) to test DNS lookups.
Test a domain with a valid signature
$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v go.dnscheck.tools go.dnscheck.tools has address 142.93.10.179 (secure) go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (secure) go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (secure)
Notice that the output contains (secure).
Test a domain with an invalid signature
$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v badsig.go.dnscheck.tools badsig.go.dnscheck.tools has address 142.93.10.179 (BOGUS (security failure)) validation failure <badsig.go.dnscheck.tools. A IN>: signature crypto failed from 149.112.112.112 badsig.go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (BOGUS (security failure)) validation failure <badsig.go.dnscheck.tools. AAAA IN>: signature crypto failed from 2620:fe::9 badsig.go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (BOGUS (security failure)) validation failure <badsig.go.dnscheck.tools. MX IN>: signature crypto failed from 149.112.112.112
Notice that the output contains (BOGUS (security failure)).
DNS Forwarding and DNSSEC
It can be helpful to configure DNS forwarding for Unbound to reduce load on your server. However, each forward-addr entry must point to a DNS resolver that is known to support DNSSEC. Otherwise domain name resolution may break because Unbound can't build the required chain of trust and fails safe.
Here is a working forward-zone section that uses Quad9 and Control D.
forward-zone: name: "." # use for ALL queries # Quad9 forward-addr: 9.9.9.9 forward-addr: 149.112.112.112 forward-addr: 2620:fe::fe forward-addr: 2620:fe::9 # Control D forward-addr: 76.76.2.1 forward-addr: 76.76.10.1 forward-addr: 2606:1a40::1 forward-addr: 2606:1a40:1::1