unbound-control to display trust anchors?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Aug 29 07:15:39 UTC 2018

On Tue, Aug 28, 2018 at 09:44:38AM -0700,
 David Conrad <drc at virtualized.org> wrote 
 a message of 161 lines which said:

> On September 5 2017, we’ve published
> https://www.icann.org/dns-resolvers-checking-current-trust-anchors

Thanks, I did not notice it. Very useful.

> If this is incomplete, please let us know.

The advice for Unbound is not perfect. It says "Look in the root.key
file in Unbound's configuration directory, which is usually
/etc/unbound." A Debian default installation, for instance, does not
put the TA file there (/etc/unbound is not writable, which prevents
RFC 5011 to work). I would suggest "Look in the trust anchors file. It
is indicated in Unbound's configuration file(s), which location depend
on your operating system. In the configuratin file(s), search
directives trust-anchor-file or auto-trust-anchor-file, then display
the indicated trust anchor file."

For Knot Resolver, the keys file indicate the key tag, so it is not
necessary to check the entire key. Here is an example (this Knot
installation does not use the ICANN root):

root at turris:/etc/kresd# cat root.keys 
.                   	3600	DNSKEY	257 3 8 AwEAAdZZqL65TA/kHkLq1+ON5eQYm9PUBgV5UQbPcQtRAXbad1l6m6R0iJIg46IiyFyUkEh+H7Z9/oPNnkM9zub2TjFiNVZUSnpyWtPqVD5nHrhUOdS3yW/AXpZuNJ3zX9XDXUpiEnfTPOMrUiZppP1fqx/jnAC9YDLs4K26ocoDyQp+umu+eOrP/TOacRag+9r9NiQzsVuXHQnCwpPY4NwlA7QRaOOjBiI9tNEDD2khVE7Yy5c/sZYirlTOTEBbXkd9l9WVqRgEO+ikb8GMg7hgOddvqj7ItBZvBUACQc3c0OqaLnEZx6CwIQpjxpPPYdyiEdKSwHGH3V3TfS+AEQlW8uk= ; Valid: ; KeyTag:59302

Also, Knot has an useful console, so you may instead type
'trust_anchors.keysets' in the console.

> trust_anchors.keysets
[\0] => {
    [1] => {
        [owner] => \0
        [key_tag] => 59302
        [comment] =>  Valid: ; KeyTag:59302
        [class] => 1
        [state] => Valid
        [rdata] => \1\1\3\8\3\1\0\1\214Y\168\190\185L\15\228\30B\234\215\227\141\229\228\24\155\211\212\6\5yQ\6\207q\11Q\1v\218wYz\155\164t\136\146 \227\162...
        [ttl] => 3600
        [type] => 48
    [filename] => /etc/kresd/root.keys
    [refresh_ev] => 10
    [owner] => \0

More information about the Unbound-users mailing list