MAGPRO DNS.

USING LDNS+UNBOUND+NSD WITH DNSSEC AND GOST CRYPTOALGORITHMS SUPPORT

First of all make sure that OpenSSL 1.0.0 has been installed and configured in a proper way (Installing and configuring OpenSSL 1.0.0)

LDNS

Installation from source code

On FreeBSD you should use gmake command instead of make

You can install LDNS(with ldns-signzone and drill) this way (we assume that openssl 1.0.0 is installed to /usr/local directory):

$ wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.5.tar.gz
$ tar xzf ldns-1.6.5.tar.gz
$ cd ldns-1.6.5
$ ./configure -–enable-gost -–with-ssl=/usr/local
$ make
$ sudo make install
$ cd examples
$ ./configure -–enable-gost -–with-ssl=/usr/local -–with-ldns=/usr/local
$ make
$ sudo make install
$ cd ../drill
$ ./configure -–with-ssl=/usr/local -–with-ldns=/usr/local
$ make
$ sudo make install

Unbound

Installation from FreeBSD ports

We strongly recommend FreeBSD users to install unbound from port collection. To enable GOST support you should edit default Makefile in port collection:

$ cd /usr/ports/dns/unbound

Edit Makefaile by replacing the string

CONFIGURE_ARGS+= --with-ssl=${OPENSSLBASE}

with the string

CONFIGURE_ARGS+= --enable-gost --with-ssl=${OPENSSLBASE}

Then install unbound:

# make
# make install

Installation from the source code

You can install unbound from source code this way:

$ wget http://unbound.net/downloads/unbound-latest.tar.gz
$ tar unbound-latest.tar.gz
$ cd unbound-1.4.5
$ ./configure --enable-gost --with-ssl=/usr/local --with-ldns=/usr/local
$ make
$ sudo make install

Unbound binaries will be placed at /usr/local/sbin.

Please keep in mind that when you install unbound from sources no init scripts are created.

Unbound configuration file sample

The key option is trust-anchor. This is a trusted key for a specific domain.

server:
        statistics-interval: 10
        extended-statistics: yes

        interface: 127.0.0.1
        port: 53

        access-control: 0.0.0.0/0 allow

        username: ""
        directory: "/usr/local/etc/unbound"
        logfile: "/var/log/unbound"
        root-hints: "/usr/local/etc/unbound/named.cache"

        trust-anchor: "example.com. DNSKEY  257 3 12 sMBpsrIyliXftMBafyzn+qOhAdw4nlSKbN36YLooax1jwO++hiP08M8mW3Dlo5arkii7LWF+QqqSFyHwdVbqFg=="

val-log-level: 2
remote-control:
        control-enable: no

stub-zone:
        name: "example.com"
        stub-addr: 10.51.24.76
        stub-prime: no

NSD

Installing NSD from port collection

On FreeBSD you may install NSD from port collection. This is way to do so:

$ cd /usr/ports/dns/nsd
$ sudo make config

Make sure to enable DNSSEC:

# make
# make install

Installation of NSD from the source code

You can install NSD from source code this way:

$ wget http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.5.tar.gz
$ tar xzf nsd-3.2.5.tar.gz
$ cd nsd-3.2.5
$ ./configure --with-ssl=/usr/local
$ make
$ sudo make install

NSD binaries will be placed at /usr/local/sbin

Please keep in mind that when you installing NSD from sources no init scripts are created.

A nsd.conf file example

server:
	logfile: "/var/log/nsd.log"
	pidfile: "/var/run/nsd3/nsd.pid"
	port: 53
	
	zonesdir: "/etc/nsd3"
										        
zone:   
	name: example.com.
	zonefile: /etc/nsd3/example.com.signed

If a signed zone is used, DNSSEC will be enabled automatically.

ATTENTION: you should rebuild the nsd database after changing zone files and reload zones by invoking commands:

# nsdc rebuild
# nsdc reload