trust-anchor-file vs.trusted-keys-file
Sandro
lists at penguinpee.nl
Mon May 30 21:30:40 UTC 2022
Hello,
I'm running Unbound as a local resolver for clients. I also have a few
zones, forward and reverse, maintained locally. The local zones are
served by BIND and are all signed using BIND's automated 'dnssec-policy'.
When I set this up I looked at the different ways of getting Unbound to
trust the local zones signed by BIND. I decided to use
'trust-anchor-file' since this allows me to just have Unbound read the
keys, that BIND created. However, unlike 'trusted-keys-file', which
allows globbing, for 'trust-anchor-file' each key needs to be specified
separately.
With 'trusted-keys-file' the required format is not readily available.
These files need to be created and maintained by hand or script.
I would like to be able to use globbing in 'trust-anchor-file'. That way
I could use
trust-anchor-file: "/var/named/keys/*.key"
and be sure all keys maintained by BIND will also be trusted by Unbound.
I'm thinking of tinkering a bit with key rollovers and globbing would
allow me not to worry about Unbound except for maybe an occasional
'unbound-control reload'.
Are there any other users that would find globbing in
'trust-anchor-file' useful? Or are there other/better ways going about it?
-- Sandro
More information about the Unbound-users
mailing list