Micetro by Men&Mice

Latest versions

Search all documentation

Child pages
  • How to enable DNSSEC validation in Unbound
Skip to end of metadata
Go to start of metadata


Now (as of 15. July 2010)  the root DNS zone is DNSSEC signed.  


How to configure an unbound resolving DNS Server to make use of DNSSEC information and validate DNS queries? 


below are some quick instructions. A full documentation can be found at

  • Unbound 1.4.0 or better (compiled with RSASHA256 support)
  • the DNS Root Trust Anchor
In your unbound configuration, add the following line:
# trust anchor for the root zone
trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" 
and restart the unbound DNS Server. In your logfiles you should now see DNSSEC validation.
[1279261948] unbound[12418:0] info: resolving <. NS IN>
[1279261948] unbound[12418:0] info: validate(positive): sec_status_secure
[1279261948] unbound[12418:0] info: validation success <. NS IN> 
If you want to see DNSSEC validation at work, install the Firefox DNSSEC Add-On http://www.dnssec-validator.cz/ and then go to www.root-dnssec.org or www.ripe.net, and you should see a nice green key icon in the URL bar telling you that this DNS information was DNSSEC validated.