1.7.3 - trusted-keys-file location

ѽ҉ᶬḳ℠ vtol at gmx.net
Thu Jul 26 17:53:49 UTC 2018


>>> You can start the auto-trust-anchor-file rotation by providing a file
>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records
>>> in there.
>>>
>>>
> I tried this with (in conf)
>
> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"
>
> And the latter reading (copied from the BIND-9 zone file)
>
> mail. 1d IN    DS 22205    14    1   
> 0FFE136DCCCFD7879D350A62610193ADA5F18111
> mail. 1d IN    DS 22205    14    2   
> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>
> and as variation
>
> mail. 1d IN    DNSKEY 22205    14    1   
> 0FFE136DCCCFD7879D350A62610193ADA5F18111
> mail. 1d IN    DNSKEY 22205    14    2   
> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>
> but either way unbound is reporting the below and I do not understand
> what the issue (anchor cannot be with and without autotrust) is?
>
> error: anchor cannot be with and without autotrust
> error: failed to load trust anchor from
> /etc/unbound/mail-trusted-key.key at line 1, skipping
> error: anchor cannot be with and without autotrust
> error: failed to load trust anchor from
> /etc/unbound/mail-trusted-key.key at line 2, skipping
> error: failed to read /etc/unbound/mail-trusted-key.key
> error: error reading auto-trust-anchor-file:
> /etc/unbound/mail-trusted-key.key
> error: validator: error in trustanchors config
> error: validator: could not apply configuration settings.
> fatal error: bad config for validator module

Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
not met throwing the error.
I am no coder and cannot make sense of

if(tp) {
        if(!tp->autr) {
            log_err("anchor cannot be with and without autotrust");
            lock_basic_unlock(&tp->lock);
            return NULL;
        }

The BIND-9 zone file does only provide the aforementioned. Has to be
anything to be done with it to make it compliant with the anchor
structure required by unbound?







More information about the Unbound-users mailing list