OpenBSD unbound and nsd mini howto

The scope of this how to is to show a simple configuration of an OpenBSD server as NSD (Authoritative) +Unbound (Recursive) name server.

Since it is a 2-leg installation in order to add a zone on Authoritative name server the procedure is the following.

• Create the zone file with the appropriate content
• Add the new zone to nsd.conf
• Run nsdc rebuild && nsdc reload
• Add the new zone to unbound.conf
• Restart unbound

In order to have a BIND’s split horizon on NSD/Unbound setup we must deploy multiple NSD instances

NSD part

The configuration of NSD is located under /etc/nsd.conf. For R&D we create a new subdomain (i.e. lab2.echothrust.dev) and its reverse zone.

# $OpenBSD: nsd.conf,v 1.5 2011/12/15 14:51:46 sobrado Exp $
server:
    hide-version: yes
    database: "/var/nsd/db/nsd.db"
    username: _nsd
    logfile: "/var/log/nsd.log"
    pidfile: "/var/nsd/run/nsd.pid"
    difffile: "/var/nsd/run/ixfr.db"
    xfrdfile: "/var/nsd/run/xfrd.state"
    ip-address: "10.0.2.254"
    port: "5353"

## master zone example
zone:
    name: "lab1.echothrust.dev"
    zonefile: "lab1.echothrust.dev"

zone:
    name: "1.0.10.in-addr.arpa"
    zonefile: "10.0.1"

Since we are going to host both services on the same host we change the default port (53) of NSD in order to avoid conflicts with unbound.

NSD keeps a journal file with the contents of the zone transfers (difffile: “ixfr.db” setting in the configuration file). This file will slowly grow as zone transfers are done. To clean up the journal file issue a patch command nsdc patch

Unbound

The configuration files of Unbound are located under /var/unbound/etc. In order to know which ROOT-SERVER should ask for non-Authoritative domains we must download the root.hints from ftp://FTP.INTERNIC.NET/domain/named.cache.

In order to be able to use the unbound-control for start/stop/restart the daemon, we must create certs and keys for unbound. To accomplish that we run unbound-control-setup and unbound places 2 pairs of certs and keys. One for the server side and one for the client. The default location of the pairs is under /var/unbound/etc/ directory.

#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.4.17.
#
# this is a comment.

#Use this to include other text into the file.
#include: "otherfile.conf"

# The server clause sets the main parameters.
server:
  verbosity: 1
  hide-version: yes
  # We haven't applied any trust-anchors in order to use 'validator' so
  # we use iterator
  module-config: "iterator"

  # We need the following rules in order to let nsd handle the reverse lookup for our lan address space.
  # Seems that unbound.conf can't accept subnets of the 10/8-network (i.e 2.0.10.in-addr.arpa.).
  local-zone: "10.in-addr.arpa." nodefault
  domain-insecure: "10.in-addr.arpa"

  interface: 10.0.1.254
  interface: 10.1.1.254
  interface: 127.0.0.1

  access-control: 172.16.10.0/24 deny
  access-control: 127.0.0.0/8 allow
  access-control: 10.0.1.0/24 allow
  access-control: 10.1.1.0/24 allow

  cache-max-ttl: 10
  do-ip6: no
  chroot: "/var/unbound"
  root-hints: "/etc/root.hints"
  do-ip6: no

remote-control:
  control-enable: yes
  server-key-file: "unbound_server.key"
  server-cert-file: "unbound_server.pem"
  control-key-file: "unbound_control.key"
  control-cert-file: "unbound_control.pem"


forward-zone:
  name: "."
  forward-addr: 172.16.10.254

stub-zone:
  name: "lab1.echothrust.dev"
  stub-addr: 10.0.1.254@5353

stub-zone:
  name: "dmz1.echothrust.dev"
  stub-addr: 10.0.1.254@5353

stub-zone:
  name: "1.0.10.in-addr.arpa"
  stub-addr: 10.0.1.254@5353