1.7.3 - trusted-keys-file location

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Jul 26 14:20:41 UTC 2018


On 26/07/18 16:15, ѽ҉ᶬḳ℠ via Unbound-users wrote:
> Hi,
> to my understanding it is feasible to have DNSSEC served for private
> zones in  stub-zone, requiring a trusted key entry with the public key
> in config - that would be trough >  trusted-keys-file: <, right?

trusted-keys-file reads the BIND syntax for a key statement, but not the
managed 'db' file that has internal BIND stuff for key rotation.

trust-anchor-file is easy: just copy and paste the DNSKEY or DS records
in there. Like, grep DNSKEY example.com.zone > example.com.key
auto-trust-anchor-file enables RFC5011 rotation and keeps track if the
keys are rotated (like, for the root zone that is important).

You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.

By default chroot is enabled;  chroot: "" disables the use of chroot.

Best regards, Wouter
> Since the authoritative server being Bind 9.13.0 I thought it would make
> sense to utilize its zone file straight away for unbound as >
> trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting
> /etc/unbound/var/named/mail.db: No such file or directory
> [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file:
> "/var/named/mail.db" does not exist in chrootdir /etc/unbound
> There is no chroot directive in the unbound conf however...

More information about the Unbound-users mailing list