[Unbound-users] Delegation-only zones and non-root zone RFC 5011?
wouter at nlnetlabs.nl
Tue Jan 20 09:25:06 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 20/01/15 05:32, Viktor Dukhovni wrote:
> On Mon, Jan 19, 2015 at 10:21:36AM +0000, Tony Finch wrote:
>>>> On Sat, Jan 17, 2015 at 10:08:48PM +0000, Viktor Dukhovni
>>>>> Also, how would one configure unbound to use an
>>>>> auto-trust-anchor-file via RFC 5011 for a given gTLD or
$ dig mytld DNSKEY > mytld.key
# check if key is trustworthy
# add a line to unbound.conf:
>>>> Any comment on my second question? If one enables RFC 5011
>>>> tracking for all the trust anchors one cares about, it is no
>>>> longer necessary to worry about delegation-only above those
>>>> trust anchors.
>> I don't know of any zones other than the root which promise to
>> follow the RFC 5011 key rollover timing requirements. (And even
>> the root zone does it wrong by not having a standby KSK.)
>> If you want to use RFC 5011 on a TLD you will have to inspect
>> their DNSSEC Practice Statement with care.
> Yes of course, that makes sense. We're may not be quite there
> yet. And yet at some point this may become more important, and so
> the question is whether unbound is ready to support such non-root
> zones if when they show up...
You can add them into the config file with the auto-trust-anchor-file
statement. You can repeat this statement in the config file to add
more trust anchors.
> I can, for example, envision the ".de" TLD adopting such a policy,
> and interested resolvers starting to track those keys per RC 5011,
> thereby closing opportunities for the root zone keys to return
> improper .de answers.
If you have nested trust anchors, unbound uses the closest one by
preference (i.e. exactly what you say that you want).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Unbound-users