Maintained by: NLnet Labs

[Unbound-users] About trust-anchor-files

Paul Wouters
Tue Feb 17 17:23:47 CET 2009


On Tue, 17 Feb 2009, JB wrote:

> In my unbound.conf I have:
> 
>        ...
>        trust-anchor-file: "/usr/local/etc/unbound/ancoras/br.anchor"
>        trust-anchor-file: 
> "/usr/local/etc/unbound/ancoras/dlv.isc.org.anchor"
>        ...
> 
> But I saw in Chris Griffiths message:
> 
>        ...
>        trust-anchor-file: "/etc/unbound/anchors/br.anchor"
>        trust-anchor-file: "/etc/unbound/anchors/se.anchor"
>        trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
>        trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
>        trust-anchor-file: "/etc/unbound/anchors/cz.anchor"
>        ...
> 
> My question is about how many trusted keys for validation must I use? And, if
> I manage about 200 domains, must I take care about them in my recursive
> servers, including its trusted keys? Are there security additional advantage
> to take care in anchor .br, .se, .bg and so on?

Until the root is signed, and if you don't want to use DLV for those queries,
yes.

To make it easier, I wrote "dnssec-conf":

http://www.xelerance.com/software/dnssec-conf/

If you're on Fedora/RHEL/Centos, do:

yum install dnssec-conf
dnssec-configure -u --dnssec=on --dlv=on --production

You will find all the keys in /etc/pki/dnssec-keys/

See further: man dnssec-configure, man dnskey-pull

Paul