DNSSEC

DNSSEC (Domain Name System Security Extensions) attempts to add security to DNS while maintaining backward compatibility. DNSSEC is a best current practice and it should be used whenever possible to help mitigate known attacks on DNS.

This tutorial assumes the following:

  • Your OpenBSD machine has Internet connectivity.
  • Unbound is enabled and functional.
  • All forward-zone sections in unbound.conf(5) have been commented out or deleted.

Enable DNSSEC

Create the trust anchor

Use unbound-anchor(8) to create the initial trust anchor in /var/unbound/db/root.key.

$ doas -u _unbound unbound-anchor

Ideally, you should securely verify the contents of this file, as DNSSEC operates by building a chain of trust from the root zone (".") onward. See Trust Anchors and Keys and get-trust-anchor for more details on verification.

Verify DNSSEC is enabled

Ensure that auto-trust-anchor-file is present somewhere in the server block in /var/unbound/etc/unbound.conf and that it points to /var/unbound/db/root.key. Also, aggressive-nsec should be commented, absent, or set to yes.

server:
	# ... other stuff
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	aggressive-nsec: yes

Restart/Reload Unbound

Restart Unbound so that it uses the new settings.

# rcctl restart unbound
unbound(ok)
unbound(ok)

Another option is to reload with unbound-control(8).

# unbound-control reload
ok

Test DNSSEC

You can use unbound-host(1) to test DNS lookups.

Test a domain with a valid signature

$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v go.dnscheck.tools
go.dnscheck.tools has address 142.93.10.179 (secure)
go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (secure)
go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (secure)

Notice that the output contains (secure).

Test a domain with an invalid signature

$ doas -u _unbound unbound-host -C /var/unbound/etc/unbound.conf -v badsig.go.dnscheck.tools
badsig.go.dnscheck.tools has address 142.93.10.179 (BOGUS (security failure))
validation failure <badsig.go.dnscheck.tools. A IN>: signature crypto failed from 149.112.112.112
badsig.go.dnscheck.tools has IPv6 address 2604:a880:400:d0::256e:b001 (BOGUS (security failure))
validation failure <badsig.go.dnscheck.tools. AAAA IN>: signature crypto failed from 2620:fe::9
badsig.go.dnscheck.tools mail is handled by 10 mail.dnscheck.tools. (BOGUS (security failure))
validation failure <badsig.go.dnscheck.tools. MX IN>: signature crypto failed from 149.112.112.112

Notice that the output contains (BOGUS (security failure)).

DNS Forwarding and DNSSEC

It can be helpful to configure DNS forwarding for Unbound to reduce load on your server. However, each forward-addr entry must point to a DNS resolver that is known to support DNSSEC. Otherwise domain name resolution may break because Unbound can't build the required chain of trust and fails safe.

Here is a working forward-zone section that uses Quad9 and Control D.

forward-zone:
	name: "."   # use for ALL queries

	# Quad9
	forward-addr: 9.9.9.9
	forward-addr: 149.112.112.112
	forward-addr: 2620:fe::fe
	forward-addr: 2620:fe::9

	# Control D
	forward-addr: 76.76.2.1
	forward-addr: 76.76.10.1
	forward-addr: 2606:1a40::1
	forward-addr: 2606:1a40:1::1