A

p

e

r

s

o

n

a

l

B

l

o

g

DNSSEC & TLSA (Lubuntu 14.04 LTS)

DNSSEC

First step is to disable dnsmasq which is an old version (2.68) and doesn’t support DNSSEC well. Later versions do. In /etc/NetworkManager/NetworkManager.conf comment # dns=dnsmasq and restart the NetworkManager sudo initctl restart network-manager.

DANE

Install unbound and configure it properly. Unbound is a validating, recursive, and caching DNS server software product:

sudo apt-get install unbound

See my unbound.conf or man 5 unbound.conf. Configure NM to use your local dns-server. If you then dig com. SOA +dnssec you should see the AD flag there:

$ dig @127.0.0.1 sys4.de +dnssec | egrep 'flags: ([a-z]{2}\s)*ad.*;'
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

$ ldns-dane verify posteo.de 443
89.146.220.134 dane-validated successfully

At last see some failures:

$ dig @127.0.0.1 sigfail.verteiltesysteme.net | grep SERVFAIL
$ dig @127.0.0.1 servfail.sidnlabs.nl +dnssec | grep SERVFAIL

Even a simple ping request should be impossible:

$ ping dnssec-failed.org
ping: unknown host dnssec-failed.org

info: validation failure <dnssec-failed.org. A IN>: no keys have a DS with algorithm RSASHA1 from 68.87.85.132 for key dnssec-failed.org. while building chain of trust