Unbound branch containing the internetnl module, used for connection test and interactive mail test on internet.nl.
-
Clone the repository locally and set the upstream (for syncing with upstream):
git remote add upstream https://github.com/NLnetLabs/unbound.git
-
If you need to sync with upstream on a previously cloned repo run:
git fetch upstream master git checkout master git merge upstream/master git push
-
Remember to checkout the proper branch again since we don't want any changes on master:
git checkout internetnl
-
Make sure that
swig
>= 3.0 is installed on your systemapt install swig3.0
-
Change #defines on top of internetnl/internetnl.c to match test environment
-
./configure --prefix=$HOME/usr/local --enable-internetnl --with-pyunbound --with-libevent --with-libhiredis
-
make install
Three delegations from the <base-domain>
(default base-domain = internet.nl)
zone are required for this module:
mail-test
, IPv6 and IPv4 glue requiredtest-ns-signed
, IPv6 and IPv4 glue required, and DS at parenttest-ns6-signed
, must only have IPv6 glue, and DS at parent
Unsigned example zonefiles are available in the internetnl
directory. Don't
forget to update the DKIM, SPF, DMARC and TLSA values to match the sending MTA,
and the IP addresses.
server:
local-zone: "." refuse
local-zone: "mail-test.<base-domain>" transparent
local-zone: "test-ns-signed.<base-domain>" transparent
local-zone: "test-ns6-signed.<base-domain>" transparent
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow_setrd
module-config: "internetnl iterator"
auth-zone:
name: "mail-test.<base-domain>"
zonefile: "mail-test.zone"
fallback-enabled: no
for-upstream: yes
for-downstream: no
auth-zone:
name: "test-ns-signed.<base-domain>"
zonefile: "test-ns-signed.zone.signed"
fallback-enabled: no
for-upstream: yes
for-downstream: no
auth-zone:
name: "test-ns6-signed.<base-domain>"
zonefile: "test-ns6-signed.zone.signed"
fallback-enabled: no
for-upstream: yes
for-downstream: no
cachedb:
redis-server-host: 127.0.0.1
redis-server-port: 6379
redis-timeout: 1000
The test-ns-signed
and test-ns6-signed
zones must be signed.
First generate the keys for this zone (we use a combined signing key here):
ldns-keygen -k -a RSASHA256 test-ns-signed.<base-domain>
ldns-keygen -k -a RSASHA256 test-ns6-signed.<base-domain>
Put the DS records in the zone, next to the delegation. The DS
records can be found in test-ns-signed.zone Ktest-ns-signed.<basedomain>.<keytag>.ds
and Ktest-ns6-signed.<basedomain>.<keytag>.ds
Then sign the zones using a recent version of ldns-signzone:
ldns-signzone -u -n -o test-ns-signed.<base-domain> test-ns-signed.zone Ktest-ns-signed.<basedomain>.<keytag>
ldns-signzone -u -n -o test-ns6-signed.<base-domain> test-ns6-signed.zone Ktest-ns-signed6.<basedomain>.<keytag>
Make the bogus wildcard records bogus by deleting RRSIGs:
sed -ie '/bogus.*IN\tRRSIG/d' test-ns-signed.zone.signed
sed -ie '/bogus.*IN\tRRSIG/d' test-ns6-signed.zone.signed
After signing the zones need to be reloaded by Unbound:
~/usr/local/sbin/unbound-control auth_zone_reload test-ns-signed.internet.nl.
~/usr/local/sbin/unbound-control auth_zone_reload test-ns6-signed.internet.nl.A
Signing (and making the bogus records bogus) must be done periodically to prevent signatures from going to expire! It is recommendable to make a simple script to execute the ldns-signzone and sed commands from cron. to run from a conjob.
Email for the interactive mail test will be send from <testid>
.mail-test
.<base-domain>
.
Receivers of these email messages should now query for DKIM, DMARC and SPF records. Queries that will be logged, and there corresponding redis keys:
- TXT
<testid>
.mail-test
.<base-domain>
-->interactivemailtest:spf:<testid>
- TXT _dmarc.
<testid>
.mail-test
.<base-domain>
-->interactivemailtest:dmarc:<testid>
- TXT selector._domainkey.
<testid>
.mail-test
.<base-domain>
-->interactivemailtest:dkim:<testid>
If the receiver of the email message will reply the mx record will be requested and generated by the internetnl Unbound module:
- MX
<testid>
.mail-test
.<base-domain>
--><testid>
.test-ns-signed
.<base-domain>
, the default signed-lab is "test-ns-signed".
If the user's MTA will validate DANE, a query will be send and logged in redis:
- TLSA _25._tcp.
<testid>
.test-ns-signed
.<base-domain>
-->interactivemailtest:dane:<testid>
.
For queries for the connection test the address of the resolver contacting us will be logged.
Connection test queries are a subdomain of:
conn
.test-ns-signed
.<base-domain>
bogus
.conn
.test-ns-signed
.<base-domain>
conn
.test-ns6-signed
.<base-domain>
bogus
.conn
.test-ns6-signed
.<base-domain>
Queries that are subdomain of the bogus names will be answered with a DNSSEC bogus answer.
Addresses will be logged in a redis set, with as key "ns_<qname>
"