Using unbound-anchor for non-default trust anchor
paul at nohats.ca
Tue Jul 28 16:12:21 UTC 2015
On Tue, 28 Jul 2015, Edward Lewis via Unbound-users wrote:
> unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
> I am trying to test RFC 5011 capabilities by following these websites:
> Goal is to run unbound-anchor as a first step before trying to tune
> unbound to either of those experiments.
Have you tried using /etc/hosts entries for data.iana.org pointing to
the others? :)
More seriously, from the man page:
The server name, it connects to https://name. Specify without
https:// prefix. The default is "data.iana.org". It connects
to the port specified with -P. You can pass an IPv4 addres or
IPv6 address (no brackets) if you want.
The pathname to the root-anchors.xml file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.xml.
The pathname to the root-anchors.p7s file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.p7s.
This file has to be a PKCS7 signature over the xml file, using
the pem file (-c) as trust anchor.
More information about the Unbound-users