Dnssec-trigger is a tool to enable DNSSEC validation on a desktop computer. It verifies that the host network DNS servers, as provided by DHCP, are able to perform DNSSEC validation, and instructs a local Unbound resolver to perform its own validation if necessary.
Dnssec-trigger needs a bit of integration within the system, as it needs to be informed of any change of network connectivity. It comes with the appropriate “hooks” for NetworkManager and Netconfig. I explain here how to install and integrate it within a Slackware system which uses neither of those.
I provide SlackBuild scripts for ldns (required for Unbound), Unbound, and Dnssec-trigger, you can use those instead of installing these programs from source manually. The SlackBuilds have been tested on Slackware64 14.0 and 14.1. They automatically create the appropriate user accounts and rc scripts.
If you use these SlackBuilds, you can skip this section and proceed with “Starting the local resolver” below.
Install ldns:
$ wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.16.tar.gz $ tar xf ldns-1.6.16.tar.gz $ cd ldns-1.6.16 $ ./configure --prefix=/usr --mandir=/usr/man --disable-static \ --with-ca-files=/etc/ssl/certs/ca-certificates.crt --with-drill $ make # make install # install -m 644 packaging/libldns.pc /usr/lib/pkgconfig/libldns.pc
Then install Unbound:
$ wget http://unbound.net/downloads/unbound-1.4.21.tar.gz $ tar xf unbound-1.4.21.tar.gz $ cd unbound-1.4.21 $ ./configure --prefix=/usr --mandir=/usr/man --disable-static \ --with-conf-file=/var/lib/unbound/unbound.conf \ --with-run-dir=/var/lib/unbound \ --with-pidfile=/var/run/unbound.pid $ make # make install
Create a rc script to control the resolver daemon, in
/etc/rc.d/rc.unbound
:
#!/bin/sh case "$1" in start) /usr/sbin/unbound-control start ;; stop) /usr/sbin/unbound-control stop ;; reload) /usr/sbin/unbound-control reload ;; status) /usr/sbin/unbound-control status ;; *) echo "Usage: $0 {start|stop|reload|status}" 1>&2 exit 1 ;; esac
Create a dedicated user account to run Unbound:
# groupadd -g 281 unbound # useradd -u 281 -c Unbound -d /var/lib/unbound -g unbound unbound # mkdir -p /var/lib/unbound # chown unbound:unbound /var/lib/unbound
Finally, install Dnssec-trigger:
$ wget http://www.nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.11.tar.gz $ tar xf dnssec-trigger-0.11.tar.gz $ cd dnssec-trigger-0.11 $ ./configure --prefix=/usr --mandir=/usr/man \ --with-hooks=none --with-keydir=/var/lib/dnssec-trigger \ --with-config=/etc/dnssec-trigger.conf \ --with-unbound-control=/usr/sbin/unbound-control $ make # make install
and the /etc/rc.d/rc.dnssec-triggerd
control script:
#!/bin/sh PIDFILE=/var/run/dnssec-trigger.pid case "$1" in start) /usr/sbin/dnssec-triggerd ;; stop) /usr/sbin/dnssec-trigger-control stop ;; status) if [ -f $PIDFILE ] && kill -0 $(cat $PIDFILE) 2>/dev/null ; then echo "dnssec-triggerd is running." else echo "dnssec-triggerd is not running." fi ;; *) echo "Usage: $0 {start|stop|status}" 1>&2 exit 1 ;; esac
Before starting the Unbound resolver, run once the following couple of commands to setup the root trust anchor needed for DNSSEC validation, and to create the keys needed to control the daemon:
# /usr/sbin/unbound-anchor # /usr/sbin/unbound-control-setup
Dnssec-trigger will also needs the same kind of initialization:
# /usr/sbin/dnssec-trigger-control-setup
Edit Unbound’s configuration file in
/var/lib/unbound/unbound.conf
to specify the location of
the trust anchor file (just uncomment the corresponding line in the
default configuration file) and to enable remote control:
server: auto-trust-anchor-file: "/var/lib/unbound/root.key" … remote-control: control-enable: yes
Now, you need to start the resolver daemon at bootup. On Slackware,
the usual place to start daemons not provided by the core distribution
is /etc/rc.d/rc.local
, but this script is executed at the
end of the init sequence and I think that in the case of Unbound, it is
better to start the daemon at the same time the network is setup.
In fact, when used together, Unbound and Dnssec-trigger should be
started after the loopback interface is made available (so that
they can bind to a localhost socket), but before any physical
interface is brought up (so that the daemons are already running when we
receive a DHCP answer). Consequently, I suggest to start them somewhere
in /etc/rc.d/rc.inet1
, at the end of the lo_up
function (which brings up the loopback interface):
lo_up() { if grep lo: /proc/net/dev 1> /dev/null ; then if ! /sbin/ifconfig | grep "^lo" 1> /dev/null ; then /sbin/ifconfig lo 127.0.0.1 /sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo # Start local resolver if [ -x /etc/rc.d/rc.unbound ]; then /etc/rc.d/rc.unbound start fi if [ -x /etc/rc.d/rc.dnssec-triggerd ]; then /etc/rc.d/rc.dnssec-triggerd start fi fi fi }
Then, as usual on Slackware, you decide whether you want to enable
the daemons by setting (or not) the executable bit on the
/etc/rc.d/rc.unbound
and
/etc/rc.d/rc.dnssec-triggerd
scripts.
Once the daemons are in place, you need to modify the configuration
of the DHCP client (dhcpcd). First, you must prevent it to
fill the /etc/resolv.conf
file with the addresses of the
nameservers provided by the DHCP server—with Dnssec-trigger, the only
nameserver that should be listed in this file is the Unbound resolver on
localhost—, and second, you must instruct it to send instead the
nameservers’ addresses to the Dnssec-trigger daemon so that it can test
their DNSSEC capabilities.
Edit dhcpcd’s configuration file /etc/dhcpcd.conf
and
disable the resolv.conf hook script:
nohook resolv.conf
Then create (or modify, if you already have one) an “exit hook”
script (/etc/dhcpcd.exit-hook
that will be executed by
dhcpcd upon each DHCP event. In this script, send the addresses of the
nameservers (contained in the new_domain_name_servers
, in
the script’s environment) to the Dnssec-trigger daemon using the
dnssec-trigger-control(8) command:
#!/bin/sh if [ "x$reason" = xBOUND ]; then if [ -n "$new_domain_name_servers" ]; then /usr/sbin/dnssec-trigger-control submit "$new_domain_name_servers" fi fi
That’s it. Now Dnssec-trigger will evaluate the DNSSEC awareness of the DHCP-provided nameservers and instruct Unbound to use them as forwaders (thus acting only as a caching nameserver) if they are DNSSEC-capable, or if they are not, to use directly the authority servers and to do the validation itself.