Run hsd as a root server only at 127.0.0.2:53
and let knot-resolver do recursion (recommended):
hsd --no-wallet --no-rs --no-sig0 --ns-host 127.0.0.2 --ns-port 53
Add hsd KSK /var/lib/knot-resolver/root.keys
Creating a self-signed certificate for example.com
(if you already have a certificate you can skip this step):
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
-keyout cert.key -out cert.crt -extensions ext -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[ext]";
echo "keyUsage=critical,digitalSignature,keyEncipherment";
This is a proof of concept branch for fixing NSEC proofs in HSD.
Here is some example configurations for running a standalone HSD root server with an external dnssec recursive resolver! You can let bind or external unbound resolver do most of the work for resolving and validating dnssec. HSD will only be responsible for serving the root zone.
Install hsd using the blacklies branch:
git clone https://github.com/buffrr/hsd
cd hsd && git checkout blacklies
I hereby claim:
To claim this, I am signing this object: