1.7.3 - trusted-keys-file location
Wouter Wijngaards
wouter at nlnetlabs.nl
Thu Jul 26 14:20:41 UTC 2018
Hi,
On 26/07/18 16:15, ѽ҉ᶬḳ℠ via Unbound-users wrote:
> Hi,
>
> to my understanding it is feasible to have DNSSEC served for private
> zones in stub-zone, requiring a trusted key entry with the public key
> in config - that would be trough > trusted-keys-file: <, right?
trusted-keys-file reads the BIND syntax for a key statement, but not the
managed 'db' file that has internal BIND stuff for key rotation.
trust-anchor-file is easy: just copy and paste the DNSKEY or DS records
in there. Like, grep DNSKEY example.com.zone > example.com.key
auto-trust-anchor-file enables RFC5011 rotation and keeps track if the
keys are rotated (like, for the root zone that is important).
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
By default chroot is enabled; chroot: "" disables the use of chroot.
Best regards, Wouter
>
> Since the authoritative server being Bind 9.13.0 I thought it would make
> sense to utilize its zone file straight away for unbound as >
> trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting
>
> /etc/unbound/var/named/mail.db: No such file or directory
> [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file:
> "/var/named/mail.db" does not exist in chrootdir /etc/unbound
>
> There is no chroot directive in the unbound conf however...
More information about the Unbound-users
mailing list