Ever want to enable DNSSEC on your Unbound OpenBSD 6.6 server? Me too! Using this article as a guide, I document the process.

Unbound Configuration

Use the ftp command to download the Root Hints.

ftp -o /var/unbound/etc/root.hints https://www.internic.net/domain/named.root

Download the trust anchor file with the unbound-anchor utility.

unbound-anchor

Configure unbound.conf. Add the location of the root.hints file and uncomment the lines with the keys auto-trust-anchor-file and val-log-level.

/var/unbound/etc/unbound.conf
# Uncomment to enable DNSSEC validation.
#
root-hints: "/var/unbound/etc/root.hints" (1)
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
1 This line was added, not uncommented…​ to be fair.

Make sure the upstream resolvers support DNSSEC. The list provided by DNSCrypt has some good options.

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
	name: "." # use for ALL queries
	forward-addr: 176.103.130.132 # adguard-dns-family
	forward-addr: 185.228.168.10 # cleanbrowsing-adult

Verify the configuration of unbound.conf which unbound-checkconf.

unbound-checkconf

Finally, restart Unbound.

rcctl restart unbound

Verify that DNSSEC is working with the dig command from a computer using your unbound server. This website, jwillikers.com, has DNSSEC enabled and so makes for a good address to test. Cloudflare provides a nice write-up about using dig to verify DNSSEC here.

dig jwillikers.com +dnssec

The example below contains the appropriate response with DNSSEC enabled. Look for the ad flag and the RRSIG entry.

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> jwillikers.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46922
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 (1)

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jwillikers.com.			IN	A

;; ANSWER SECTION:
jwillikers.com.		300	IN	A	104.28.26.241
jwillikers.com.		300	IN	A	104.28.27.241
jwillikers.com.		300	IN	RRSIG	A 13 2 300 20200329192309 20200327172309 34505 jwillikers.com. DcQzhWhlVflaeqCkZn92X6jRMJvtFySr7wN1AzGaJVk7/b4JbS/lqqZB ZepEA6FP3bHz8g5H6zduVKKv/D8Tqg== (2)

;; Query time: 35 msec
;; SERVER: 192.168.6.1#53(192.168.6.1)
;; WHEN: Sat Mar 28 13:23:09 CDT 2020
;; MSG SIZE  rcvd: 185
1 The ad flag is present in the list of flags.
2 The RRSIG entry.