{"id":3888,"date":"2013-04-21T19:26:53","date_gmt":"2013-04-21T11:26:53","guid":{"rendered":"https:\/\/www.icocean.com\/wp\/?p=3888"},"modified":"2013-04-21T20:53:51","modified_gmt":"2013-04-21T12:53:51","slug":"%e7%bb%99unbound%e5%90%af%e7%94%a8dnssec","status":"publish","type":"post","link":"https:\/\/www.icocean.com\/blog\/?p=3888","title":{"rendered":"unbound\u542f\u7528DNSSec\uff0c\u8be5\u5982\u4f55\u914d\u7f6e\uff1f"},"content":{"rendered":"<p><strong>\u6ce8\u610f\uff1a<\/strong>\u542f\u7528DNSSec\u53ea\u80fd\u9a8c\u8bc1dns\u8bb0\u5f55\u662f\u5426\u88ab\u7be1\u6539\uff0c\u5e76\u4e0d\u80fd\u52a0\u5bc6\u4f60\u7684dns\u67e5\u8be2\u4f20\u8f93\u6570\u636e\uff1b\u5982\u679c\u4f60\u9700\u8981\u52a0\u5bc6dns\u67e5\u8be2\uff0c\u8fd8\u662f\u9700\u8981\u7528opendns\u63a8\u51fa\u7684dnscrypt\u5de5\u5177\u3002<br \/>\nhttp:\/\/www.opendns.com\/technology\/dnscrypt\/ \u548c http:\/\/dnscrypt.org\/<\/p>\n<p><strong>1. \u83b7\u5f97trust anchor<\/strong><br \/>\ntrust anchor\u548c\u6839\u8bc1\u4e66\u7684\u610f\u601d\u7c7b\u4f3c\u3002unbound-anchor \u53ef\u4ee5\u521b\u5efa\u548c\u66f4\u65b0 trust anchor\u3002\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u4e0b\u8f7d\u548c\u7acb\u5373\u68c0\u67e5trust anchor\u7684\u5b8c\u6574\u6027\uff0c\u8fd9\u4e2a\u68c0\u67e5\u662f\u4f7f\u7528 unbound-anchor \u5185\u5efa\u7684 ICANN \u8bc1\u4e66\u8fdb\u884c\u7684\uff0c\u5982\u679c\u4e0d\u786e\u8ba4\u7684\u8bdd\uff0c\u8fd8\u5e94\u68c0\u67e5\u5b83\u7684\u5b8c\u6574\u6027\uff0c\u5305\u62ec unbound-anchor -l \u548c\u68c0\u9a8c\u6e90\u4ee3\u7801\uff0c\u4e0d\u8fc7\u6e90\u7801\u5305\u4e00\u822c\u90fd\u7ecf\u8fc7\u6821\u9a8c\uff0c\u53ef\u4ee5\u8ba4\u4e3a\u6ca1\u6709\u95ee\u9898\u3002<\/p>\n<p>ubuntu\u7cfb\u7edf\u7684root.key\u4e00\u822c\u5728\/var\/lib\/unbound\/root.key\u8def\u5f84<br \/>\n<code>$ sudo -u unbound unbound-anchor -a \"\/var\/lib\/unbound\/root.key\"<\/code><br \/>\n\u5982\u679c\u4e00\u5207\u6b63\u5e38\uff0c\u5219\u7cfb\u7edf\u4e0d\u4f1a\u7ed9\u51fa\u4efb\u4f55\u63d0\u793a\u3002<\/p>\n<p>\u5f53\u7136\u5982\u679croot.key\u7684\u8def\u5f84\u6307\u5b9a\u9519\u8bef\u4e86\uff0c\u5c31\u4f1a\u6709\u63d0\u793a\u3002\u6bd4\u5982\u6211\u4e00\u5f00\u59cb\u5728<!--more--> \/etc\/unbound\/\u76ee\u5f55\u4e0b\u76f4\u63a5\u6267\u884c\u4e0b\u9762\u7684\u547d\u4ee4\uff0c\u5c31\u63d0\u793a\u9519\u8bef\u4e86\u3002<br \/>\n<code>:\/etc\/unbound$ sudo -u unbound unbound-anchor<br \/>\nlibunbound[3186:0] error: unable to open \/etc\/unbound\/root.key for reading: No such file or directory<br \/>\nlibunbound[3186:0] error: error reading auto-trust-anchor-file: \/etc\/unbound\/root.key<br \/>\nlibunbound[3186:0] error: validator: error in trustanchors config<br \/>\nlibunbound[3186:0] error: validator: could not apply configuration settings.<br \/>\nlibunbound[3186:0] error: module init for module validator failed<\/code><\/p>\n<p>\u4e3a\u4e86\u65b9\u4fbf\u4e0a\u9762\u7684unbound-anchor\u5de5\u5177\u4ec5\u4ec5\u662f\u63d0\u4f9b\u4e86\u4e00\u4e2a\u521d\u59cb\u503c\uff0c\u6211\u4eec\u81ea\u5df1\u5fc5\u987b\u8981\u9a8c\u8bc1\u548c\u83b7\u5f97\u6839\u7b7e\u540d\u9a8c\u8bc1<br \/>\n(under the terms of our <a href=\"http:\/\/unbound.nlnetlabs.nl\/svn\/trunk\/LICENSE\">LICENSE<\/a>,<br \/>\n\u6765\u6e90\uff1ahttp:\/\/unbound.net\/documentation\/howto_anchor.html)<\/p>\n<p>\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<strong>https\u52a0\u5bc6\u8fde\u63a5<\/strong>\u4eceIANA\u4e0b\u8f7d\u6839\u7b7e\u540d\u9a8c\u8bc1: root-anchors.xml<br \/>\n\u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/data.iana.org\/root-anchors\/root-anchors.xml<br \/>\n\u5f97\u5230\u7684\u5185\u5bb9\u5982\u4e0b\uff1a<br \/>\n<code><br \/>\n&lt; TrustAnchor id=\"AD42165F-3B1A-4778-8F42-D34A1D41FD93\" source=\"https:\/\/data.iana.org\/root-anchors\/root-anchors.xml\"&gt;<br \/>\n&lt; Zone&gt;.&lt; \/Zone&gt;<br \/>\n&lt; KeyDigest id=\"Kjqmt7v\" validFrom=\"2010-07-15T00:00:00+00:00\"&gt;<br \/>\n&lt; KeyTag&gt;19036&lt; \/KeyTag&gt;<br \/>\n&lt; Algorithm&gt;8&lt; \/Algorithm&gt;<br \/>\n&lt; DigestType&gt;2&lt; \/DigestType&gt;<br \/>\n&lt; Digest&gt;<br \/>\n49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5<br \/>\n&lt; \/Digest&gt;<br \/>\n&lt; \/KeyDigest&gt;<br \/>\n&lt; \/TrustAnchor&gt;<br \/>\n<\/code><\/p>\n<p>\u7136\u540e\u5c06\u4e0a\u9762\u7684\u5185\u5bb9\uff0c\u6309\u7167\u4e0b\u9762\u7684\u683c\u5f0f\u6dfb\u52a0\u5230\/var\/lib\/unbound\/root.key\u6587\u4ef6\u7684\u6700\u540e\u4e00\u884c<br \/>\n<code>. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5<\/code><br \/>\n\u7f16\u8f91root.key\u6587\u4ef6\u65f6\u8bb0\u5f97\u7528 sudo -u unbound nano \/var\/lib\/unbound\/root.key\uff0c\u4fdd\u6301\u8fd9\u4e2a\u6587\u4ef6\u7684\u6240\u6709\u6743\u5c5e\u4e8eunbound\u7528\u6237\u3002<\/p>\n<p><strong>2.\u5728unbound\u4e2d\u542f\u7528<\/strong><br \/>\n\u914d\u7f6e unbound \u4f7f\u7528 DNSSEC \u9a8c\u8bc1\u53ea\u9700\u5728 server \u5c0f\u8282\u589e\u52a0\u4e00\u884c\uff1a<br \/>\n<code>auto-trust-anchor-file: \"\/usr\/local\/etc\/unbound\/root.key\"<\/code><br \/>\n\u7136\u540e\u91cd\u542f unbound \u5373\u53ef\u3002<\/p>\n<p><strong>3.\u9a8c\u8bc1\u662f\u5426\u542f\u7528\u6210\u529f\uff08\u65b9\u6cd5\u4e00\uff09<\/strong><br \/>\n\u7528 dig com. SOA +dnssec \u5e94\u8be5\u53ef\u4ee5\u770b\u5230 DNSSEC \u9a8c\u8bc1\u6210\u529f\uff08flags: ad\uff09\uff1a<\/p>\n<p>$ dig com. SOA +dnssec<\/p>\n<p>; &lt;&lt;&gt;&gt; DiG 9.8.1-P1 &lt;&lt;&gt;&gt; com. SOA +dnssec<br \/>\n;; global options: +cmd<br \/>\n;; Got answer:<br \/>\n;; -&gt;&gt;HEADER&lt; ;; flags: qr rd ra <span style=\"color: #ff0000;\"><strong>ad<\/strong><\/span>; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1<\/p>\n<p>;; OPT PSEUDOSECTION:<br \/>\n; EDNS: version: 0, flags: do; udp: 4096<br \/>\n;; QUESTION SECTION:<br \/>\n;com. IN SOA<\/p>\n<p>;; ANSWER SECTION:<br \/>\ncom. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1366543272 1800 900 604800 86400<br \/>\ncom. 900 IN RRSIG SOA 8 1 900 20130428112112 20130421101112 35519 com. cfaBU\/Ygqt5ATC8Wn94c9ILZQcw1kYWkcTKDgHnVOSvSU5n+WBJoVO08 3jwDABVVLx5VUON+uygspq10YWW5PBy7HdCeRNLJ1QK4qyWtPVICHkIv HugvKEEAwYAP6kZPcI\/Ogi0J1O80fA2hNZ65Wrhm8ZG5hScOariNqXz7 V7s=<\/p>\n<p>;; AUTHORITY SECTION:<br \/>\ncom. 172800 IN NS e.gtld-servers.net.<br \/>\ncom. 172800 IN NS f.gtld-servers.net.<br \/>\ncom. 172800 IN NS c.gtld-servers.net.<br \/>\ncom. 172800 IN NS i.gtld-servers.net.<br \/>\ncom. 172800 IN NS m.gtld-servers.net.<br \/>\ncom. 172800 IN NS b.gtld-servers.net.<br \/>\ncom. 172800 IN NS l.gtld-servers.net.<br \/>\ncom. 172800 IN NS j.gtld-servers.net.<br \/>\ncom. 172800 IN NS d.gtld-servers.net.<br \/>\ncom. 172800 IN NS k.gtld-servers.net.<br \/>\ncom. 172800 IN NS g.gtld-servers.net.<br \/>\ncom. 172800 IN NS h.gtld-servers.net.<br \/>\ncom. 172800 IN NS a.gtld-servers.net.<br \/>\ncom. 172800 IN RRSIG NS 8 1 172800 20130428041929 20130421030929 35519 com. uIBGqbhLKX4AyXiZuHWEq2csMba1STfqGca7ta9OB5VItaGEYhCf5NB9 fG5GHjtZGO8tQSKcqs4qifT+cVkjoVkqmU+03n1uwK8QgJ6R18cTU78L khMtqtYaqiWjalrSuQCH5B6Tq549neGWC9H284ICGRU62jSdc16oNHIj F5A=<\/p>\n<p>;; Query time: 3949 msec<br \/>\n;; SERVER: 127.0.0.1#53(127.0.0.1)<br \/>\n;; WHEN: Sun Apr 21 19:21:33 2013<br \/>\n;; MSG SIZE rcvd: 637<\/p>\n<p><strong>4.\u9a8c\u8bc1\u662f\u5426\u542f\u7528\u6210\u529f\uff08\u65b9\u6cd5\u4e8c\uff09<\/strong><\/p>\n<p>\u4e5f\u53ef\u4ee5\u7528\u6d4f\u89c8\u5668\u8bbf\u95ee\u00a0<a href=\"http:\/\/dnssectest.sidn.nl\/\">http:\/\/dnssectest.sidn.nl\/<\/a>\u00a0\u6765\u6d4b\u8bd5\u3002<\/p>\n<p>\u76ee\u524d\u7f8e\u56fd\u8054\u90a6\u653f\u5e9c\u7684\u8bb8\u591a\u7f51\u7ad9\u90fd\u5df2\u7ecf\u542f\u7528\u4e86 DNSSEC\uff0c\u4f46\u5728\u5927\u5bb6\u7684\u7f13\u5b58\u670d\u52a1\u5668\u4ee5\u53ca\u66f4\u591a\u7684\u5546\u4e1a\u7ad9\u70b9\u652f\u6301 DNSSEC \u4e4b\u524d\uff0c\u8fd9\u6837\u505a\u5e76\u4e0d\u80fd\u663e\u8457\u6539\u5584\u5b89\u5168\u6027\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6ce8\u610f\uff1a\u542f\u7528DNSSec\u53ea\u80fd\u9a8c\u8bc1dns\u8bb0\u5f55\u662f\u5426\u88ab\u7be1\u6539\uff0c\u5e76\u4e0d\u80fd\u52a0\u5bc6\u4f60\u7684dns\u67e5\u8be2\u4f20\u8f93\u6570\u636e\uff1b\u5982\u679c\u4f60\u9700\u8981\u52a0\u5bc6dns\u67e5\u8be2 <a href='https:\/\/www.icocean.com\/blog\/?p=3888' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3508],"tags":[1289,3059,3510,3817],"class_list":["post-3888","post","type-post","status-publish","format-standard","hentry","category-dnssec-and-dns-","tag-dns","tag-dnssec","tag-unbound","tag-3817","category-3508-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/3888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3888"}],"version-history":[{"count":8,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/3888\/revisions"}],"predecessor-version":[{"id":3896,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/3888\/revisions\/3896"}],"wp:attachment":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}