Re: DNSSEC, Resolvers and Authentication-Results: "unprotected key"

From: A. Schulze <sca_at_andreasschulze.de>
Date: Tue, 13 Oct 2015 21:43:08 +0200

Am 13.10.2015 um 15:48 schrieb Jim Seymour:
> That says the only way I can persuade OpenDKIM to see that my zone is
> indeed secured is by installing and configuring the unbound package? Is
> that correct?

Jim,

OpenDKIM may be compiled to use unbound library code. ( /usr/sbin/opendkim -V | grep USE_UNBOUND )
But in this case OpenDKIM does /not/ require a unbound process running somewhere.

OpenDKIM uses the Library to fetch DKIM keys direct by generating non recursive DNS queries and validate the responses.
That's the "direct" way to handle DNSSEC. postfix for example chose an other model: There any DNSSEC validation is done by a
external resolver. Trust is based on the fact this resolver act on the /local/ host.

But back to OpenDKIM:
unbound+libunbound have useful defaults. (man unbound.conf).
Most important: it know about the root nameservers...

So anything you need to enable DNSSEC validation is a root trustanchor.

/path/to/opendkim.conf:
   ResolverConfiguration /path/to/unbound_style_config_file

/path/to/unbound_style_config_file:
   server:
      trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"

That's all. No running unbound daemon needed!

Be aware unbound support RFC 5011 to "automate Updates of DNS Security (DNSSEC) Trust Anchors"
By placing a static DS in the configuration validation may fail one day on root key rollover.

I'm not sure this function is implemented in unbound (the server daemon) or libunbound.
Readers are welcome to clarify this :-)

Andreas
Received on Tue Oct 13 2015 - 19:44:51 PST