Enabling DNSSEC validation with the root trust anchor in BIND
-------------------------------------------------------------

You need to log in to your resolver (cache) machine

1. Grab the root key


    Using "dig"
    ------------------------------

    You could also:

    $ dig -t dnskey . @10.10.0.241
 
     and copy the longest DNSKEY record assming it is the KSK.

    Question: Why is this bad?


Now edit the /etc/bind/named.conf.options, and paste the key in the following format:

    managed-keys {
       // paste here the contents
    };

    named.conf.options should look something like this when done:

    # cat /etc/bind/named.conf.options

    options {
        directory       "/etc/bind/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
	recursion yes;
        dnssec-validation yes;
        allow-query { any; };
    };
    zone "." {
        type hint;
        file "/etc/bind/named.root";
    };
    trusted-keys {
       "." 257 3 8
         "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
          bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
          /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
          JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
          oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
          LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
          Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
          LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
    };

   Again, make sure to respect "'s and ;'s.

2. Restart the nameserver

    # service named restart

3. Run a few queries:

    $ dig @localhost +dnssec . SOA
    $ dig @localhost +dnssec mytld. SOA

    What do you notice ?

4. If you haven't already done so, you can go back to the DNS logging exercise,
   and enable logging on your RESOLV host, and look at the dnssec log file...