Last active
February 26, 2017 23:44
-
-
Save Sniperovitch/079cf947a98113cf7cf2d3a6884fb1e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Date : 2017-02-26 | |
macOS Sierra 10.12.3 | |
Installer homebrew | |
------------------ | |
Site de Homebrew : https://brew.sh/index_fr.html | |
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install -o install_homebrew | |
/usr/bin/ruby install_homebrew | |
Installer unbound | |
----------------- | |
brew install unbound ldns | |
Pour DNSSEC | |
----------- | |
unbound-anchor -a /usr/local/etc/unbound/root.key | |
unbound-control-setup -d /usr/local/etc/unbound | |
4 - Fichier de config unbound | |
----------------------------- | |
/usr/local/etc/unbound/unbound.conf | |
server: | |
verbosity: 1 | |
num-threads: 4 | |
interface: 127.0.0.1 | |
access-control: 127.0.0.1/8 allow | |
private-address: 10.0.0.0/8 | |
private-address: 172.16.0.0/16 | |
private-address: 192.168.0.0/24 | |
port: 53 | |
outgoing-range: 256 | |
msg-cache-size: 50m | |
msg-cache-slabs: 4 | |
num-queries-per-thread: 128 | |
rrset-cache-size: 100m | |
rrset-cache-slabs: 4 | |
infra-cache-slabs: 4 | |
do-ip4: yes | |
do-ip6: yes | |
do-udp: yes | |
username: "sniperovitch" | |
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" | |
key-cache-slabs: 4 | |
Tester DNSSEC | |
drill vient avec le paquet ldns (pas nécessaire pour unbound) | |
drill -D TXT test.dnssec-or-not.net @localhost | |
le flag "ad" doit être dans la liste des flags | |
drill -D TXT test.dnssec-or-not.net @localhost | |
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33241 | |
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 | |
;; QUESTION SECTION: | |
;; test.dnssec-or-not.net. IN TXT | |
;; ANSWER SECTION: | |
;; AUTHORITY SECTION: | |
dnssec-or-not.net. 60 IN SOA ns0.dnssec-or-not.net. dnsadm.verisignlabs.com. 2015061291 900 300 2592000 60 | |
dnssec-or-not.net. 60 IN RRSIG SOA 5 2 3600 20170322050102 20170220050102 2256 dnssec-or-not.net. d0paL2YmXQGY4an4K8lf9uc1GbbGbqRa7UHe6KHQ0+FuSZObLoLp75S+TVQlQkktOI4ajwoQwgvTxAkPAsBENt7FnUn+QvDRT47a0Z/NoENbe7XWVT8pog8Q/ofqC2frrNnADsHEW88B9vG62aoRFaJ3JXtX+PMQ9hH2foRBEiU= | |
test.dnssec-or-not.net. 60 IN NSEC www.dnssec-or-not.net. A RRSIG NSEC | |
test.dnssec-or-not.net. 60 IN RRSIG NSEC 5 3 60 20170322050102 20170220050102 2256 dnssec-or-not.net. X0IndANlha1vVp6c2VsW3V972lNc2Vh0S6VUiCP8B9dpKR4aEsrrojs/rRw1k1GQfYjQ4a1dMnD/HmT5ZEoF4ULVv/6BM98BLl/hXE+tWnkPQbAYyZuAgyLfHm6/puxwbhvWJwzEMI3+0DAC60P1bJL7v/ncStU1bsEnwR4CegY= | |
;; ADDITIONAL SECTION: | |
;; Query time: 125 msec | |
;; EDNS: version 0; flags: do ; udp: 4096 | |
;; SERVER: 127.0.0.1 | |
;; WHEN: Sun Feb 26 16:55:35 2017 | |
;; MSG SIZE rcvd: 511 | |
Pour vérifier la config : | |
/usr/local/sbin/unbound-checkconf | |
Pour lancer/arrêter unbound (sudo est nécessaire pour avoir accès au port 53) : | |
sudo brew services start unbound | |
sudo brew services stop unbound | |
sudo brew services restart unbound | |
Si unbound démarre et s'arrête brew service ne l'indique pas. | |
ps -ef | grep unbound pour vérifier s'il tourne | |
Pour le lancer en avant plan et voir s'il y a un problème : | |
/usr/local/sbin/unbound | |
(C'est comme ça que j'ai vu un problème sur le nombre de fichiers ouvers) | |
$ /usr/local/sbin/unbound | |
[1488120606] unbound[12444:0] warning: setrlimit: Invalid argument | |
[1488120606] unbound[12444:0] warning: cannot increase max open fds from 256 to 16518 | |
[1488120606] unbound[12444:0] warning: continuing with less udp ports: 31 | |
[1488120606] unbound[12444:0] warning: increase ulimit or decrease threads, ports in config to remove this warning |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment