[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Bry8 Star bry8star at yahoo.com
Fri Aug 24 06:18:28 UTC 2012

Hi Leen, Paul,

On 8/23/2012 2:14 AM, Leen Besselink wrote:
> You'll need a stub-zone and (auto-)trust-anchor for
> each TLD that supports DNSSEC.

On 8/23/2012 3:40 PM, Paul Wouters wrote:
>> if 42 TLD supports/has DNSSEC components, then
>> how can i use them ? or
>> how to enable DNSSEC for 42 TLD ?
> You can preload any dnssec key with trusted-keys-file:
> What you are doing (at the root) is not much different
> from adding "private views" higher up. So googling for
> "bind views" might help you as well.

For example, let us assume, '42' TLD has it's own DS, RRSIG, etc DNSSEC
records for the "42." TLD, then doing such would be suffice in
service.conf or in unbound.conf ? :
# removed or 'commented-out' the below line
#domain-insecure: "42"
 name: "42" # http://42registry.org/
 stub-addr: # name / DNS Srvr
 # test with "search.42"
 trust-anchor-file: "C:\Program Files\Unbound\42registry.42.key"

(Now hypothetically) if cesidianRoot signs all of their 84 TLDs which
are under their authority, with similar/same key, then, do i have to add
84 "trust-anchor-file: "filename" lines ?

Thanks for all of your help on these.

More information about the Unbound-users mailing list