[Unbound-users] About trust-anchor-files
Paul Wouters
paul at xelerance.com
Tue Feb 17 16:23:47 UTC 2009
On Tue, 17 Feb 2009, JB wrote:
> In my unbound.conf I have:
>
> ...
> trust-anchor-file: "/usr/local/etc/unbound/ancoras/br.anchor"
> trust-anchor-file:
> "/usr/local/etc/unbound/ancoras/dlv.isc.org.anchor"
> ...
>
> But I saw in Chris Griffiths message:
>
> ...
> trust-anchor-file: "/etc/unbound/anchors/br.anchor"
> trust-anchor-file: "/etc/unbound/anchors/se.anchor"
> trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
> trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
> trust-anchor-file: "/etc/unbound/anchors/cz.anchor"
> ...
>
> My question is about how many trusted keys for validation must I use? And, if
> I manage about 200 domains, must I take care about them in my recursive
> servers, including its trusted keys? Are there security additional advantage
> to take care in anchor .br, .se, .bg and so on?
Until the root is signed, and if you don't want to use DLV for those queries,
yes.
To make it easier, I wrote "dnssec-conf":
http://www.xelerance.com/software/dnssec-conf/
If you're on Fedora/RHEL/Centos, do:
yum install dnssec-conf
dnssec-configure -u --dnssec=on --dlv=on --production
You will find all the keys in /etc/pki/dnssec-keys/
See further: man dnssec-configure, man dnskey-pull
Paul
More information about the Unbound-users
mailing list