I was tired of using bind9 for my DNS because of its clunkiness, its exhausting approach to DNSSEC, its awkward configuration format, its bad security history (yes, it's the blog of the project, and almost every article is about a different vulnerability.), its future, and its archaism.
Unbound is a validating, recursive, and caching DNS resolver, with a simple configuration format and DNSSEC support.
This is my full configuration for a DNSSEC-enabled resolver for my LAN.
server: interface: 127.0.0.1 interface: $MY_LAN_IP access-control: $MY_LAN_RANGE allow access-control: 127.0.0.1/24 allow auto-trust-anchor-file: "/var/lib/unbound/root.key" root-hints: "/etc/unbound/root.hints" do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes # Unnecessary hardening hide-version: yes hide-identity: yes verbosity: 1 harden-glue: yes harden-dnssec-stripped: yes use-caps-for-id: yes prefetch: yes unwanted-reply-threshold: 10000 val-clean-additional: yes
Here is my configuration for
server: listen: 18.104.22.168@53 user: knot:knot rate-limit: 120 rate-limit-slip: 1 log: - target: syslog any: info template: - id: secure storage: /etc/knot/storage semantic-checks: on disable-any: on dnssec-signing: on acl: - id: acl_gandi address: 22.214.171.124 action: transfer - id: acl_rb address: 126.96.36.199 action: transfer remote: - id: rb address: A.B.C.D@53 - id: gandi address: 188.8.131.52@53 zone: - domain: dustri.org template: secure acl: [acl_gandi, acl_rb] notify: [rb, gandi]
And this is how to initialize the DNSSEC-related cryptographic material:
$ cd $YOUR_CRYPTO_MATERIAL_FOLDER $ keymgr init $ keymgr policy add default_rsa algorithm RSASHA256 zsk-size 1024 ksk-size 2048 nsec3 true $ keymgr zone add myzone.test policy default_rsa $ dig dustri.org @127.0.0.1 +dnssec DNSKEY
You just have to tell your registrar (if it supports DNSSEC of course) about your public keys, and that's it, you have a working DNSSEC configuration on your zone, with automatic keys rotation! You should also take a look at RFC6781 about DNSSEC Operational Practices.