Unbound

Unbound is a Article description::validating, recursive, caching DNS resolver.

Additional software
For testing DNS resolving use part of the net-dns/bind-tools.

Files

 * - Global (system wide) configuration file.

DNSSEC Configuration
To be able to use dnssec validation, a trust anchor (file) needs to be created and pointed to from the unbound configuration file.

One can use the tool that comes with the unbound install to create the initial trust anchor, BUT as indicated in the manual, this is at your own risk and you MUST validate the trust anchor thus created. Please see unbound documentation for details.

Alternative the anchor can be found in the root zone file than can be downloaded at https://www.internic.net/domain/root.zone and searching for DNSKEY. Again care is need to validate this is indeed the correct public key.

As of May 2022, as an example ONLY (please don't use unless it has verified it by other means), this is what was found looking in the root.zone file.

. IN     DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixH lFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm +2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

Once created the anchor will need regular updates, this can be done by setting (in the configuration file) automatic updates. Thus uses the tool to refresh the trust anchor file.

Assuming the file is named /etc/unbound/var/dnssec-trust-anchors.key...