1.7.3 - trusted-keys-file location

Wouter Wijngaards wouter at nlnetlabs.nl
Fri Jul 27 09:25:11 UTC 2018


Hi,


On 26/07/18 19:53, ѽ҉ᶬḳ℠ via Unbound-users wrote:
>>>> You can start the auto-trust-anchor-file rotation by providing a file
>>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records
>>>> in there.
>>>>
>>>>
>> I tried this with (in conf)
>>
>> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
>> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"

Unbound wants you to load the trust anchors for a domain in one
statement.  Not have them spread over different statements with
different options.  That is the error you are referring to.

So, the files you have are fine (make sure the hexadecimal is on one
line with the start of the record, I cannot tell due to mailer
wordwrap).  And just load one of them.

You can load multiple files, and have a file for every different domain
for which you want keys.

The bind9 format readup does in fact not confer any benefits, if you
ignore the syntax that it reads.  I mean, it uses the same processing as
a plain trust-anchor-file statement.  But it reads in a different syntax.

Best regards, Wouter

>>
>> And the latter reading (copied from the BIND-9 zone file)
>>
>> mail. 1d IN    DS 22205    14    1   
>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>> mail. 1d IN    DS 22205    14    2   
>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>
>> and as variation
>>
>> mail. 1d IN    DNSKEY 22205    14    1   
>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>> mail. 1d IN    DNSKEY 22205    14    2   
>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>
>> but either way unbound is reporting the below and I do not understand
>> what the issue (anchor cannot be with and without autotrust) is?
>>
>> error: anchor cannot be with and without autotrust
>> error: failed to load trust anchor from
>> /etc/unbound/mail-trusted-key.key at line 1, skipping
>> error: anchor cannot be with and without autotrust
>> error: failed to load trust anchor from
>> /etc/unbound/mail-trusted-key.key at line 2, skipping
>> error: failed to read /etc/unbound/mail-trusted-key.key
>> error: error reading auto-trust-anchor-file:
>> /etc/unbound/mail-trusted-key.key
>> error: validator: error in trustanchors config
>> error: validator: could not apply configuration settings.
>> fatal error: bad config for validator module
> Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
> structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
> not met throwing the error.
> I am no coder and cannot make sense of
>
> if(tp) {
>         if(!tp->autr) {
>             log_err("anchor cannot be with and without autotrust");
>             lock_basic_unlock(&tp->lock);
>             return NULL;
>         }
>
> The BIND-9 zone file does only provide the aforementioned. Has to be
> anything to be done with it to make it compliant with the anchor
> structure required by unbound?
>
>
>




More information about the Unbound-users mailing list