OpenBSD is contemplating replacing BIND with the Unbound recursive DNS server and the NSD authoritative DNS server. As I need a client-facing nameserver that performed DNSSEC validations, I decided to try Unbound.
I started by installing the latest OpenBSD amd64 snapshot with the ports tree, then built /usr/ports/net/unbound without any special options. As unbound chroots into /var/unbound after startup, all configuration files and device nodes are under that directory.
You’ll also need a current root hints file. Get it from the Internic FTP server.
# cd /var/unbound/etc
# ftp ftp://FTP.INTERNIC.NET/domain/named.cache
The default configuration, /var/unbound/etc/unbound.conf, includes dozens of options, but all of them have sensible defaults. Most you only set if you run a very heavily loaded server, want to log queries, or need to force the server to bind to a specific IP address. We do need a few unbound.conf settings. First, set the path to the current root server hint file you just downloaded.
Do not run a recursive DNS server that accepts queries from all IP addresses; your server will be used as a node in a DDOS attack. Use the access-control statement to restrict which addresses can make queries. Start by blocking queries from all addresses, then explicitly list address you will accept queries from, like so:
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
At this point, unbound can now answer recursive queries. Start unbound:
 unbound[10557:0] warning: increased limit(open files) from 128 to 4140
Now test from a machine with an IP address specified in an access-control statement.
# dig www.michaelwlucas.com @nstest
;; ANSWER SECTION:
www.michaelwlucas.com. 7200 IN A 220.127.116.11
We’re getting answers. You have a working Unbound server! Now that we’ve gotten this far, let’s break it by trying to add DNSSEC validation. While not all top level domains are DNSSEC-signed, and most Web browsers and operating systems are not yet DNSSEC-aware, when that day comes I don’t want to come back and reconfigure my server. To add DNSSEC to Unbound, you must fetch the root zone’s public key and tell Unbound where to find that key. To identify the root zone,
Now fetch the root key and store it in /var/unbound/etc/root.key.
# /usr/local/sbin/unbound-anchor -a "/var/unbound/etc/root.key"
Restart Unbound, and query for DNSSEC on the root zone. The ad flag indicates that you received a DNSSEC reply. You’ll also see security resource records, or RRSIGs.
# dig . @nstest +dnssec
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
. 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
. 86400 IN RRSIG NSEC 8 0 86400 20110222000000 20110214230000 21639 . VxTx/DhLO26TClKW4UUby50Qmw3gmUewRzOIVFT2pw34mm6XSW+Fo5uDrUjgpXpQRkTUJlyLpxXm5843xdO9UNQOWIRoRAcaGCdbykc5Bvr2R+ho1yOYmo+3ExpvuIn7xxtm+1Yjl6RiVWckXVuqESKRmd6cvu2uM+nlmxd f/M=
That’s it! Your Unbound recursive DNS server is ready to answer queries and validate DNSSEC.
To automatically update the root key and start Unbound at boot, I added the following to /etc/rc.local:
echo 'anchoring unbound'
/usr/local/sbin/unbound-anchor -a "/var/unbound/etc/root.key"
echo 'starting unbound'
There’s no need for an Unbound shutdown procedure: just killing the process will suffice.