Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Bry8 Star
Fri Aug 24 08:18:28 CEST 2012

Hi Leen, Paul,

On 8/23/2012 2:14 AM, Leen Besselink wrote:
> You'll need a stub-zone and (auto-)trust-anchor for
> each TLD that supports DNSSEC.

On 8/23/2012 3:40 PM, Paul Wouters wrote:
>> if 42 TLD supports/has DNSSEC components, then
>> how can i use them ? or
>> how to enable DNSSEC for 42 TLD ?
> You can preload any dnssec key with trusted-keys-file:
> What you are doing (at the root) is not much different
> from adding "private views" higher up. So googling for
> "bind views" might help you as well.

For example, let us assume, '42' TLD has it's own DS, RRSIG, etc DNSSEC
records for the "42." TLD, then doing such would be suffice in
service.conf or in unbound.conf ? :
# removed or 'commented-out' the below line
#domain-insecure: "42"
 name: "42" #
 stub-addr: # name / DNS Srvr
 # test with "search.42"
 trust-anchor-file: "C:\Program Files\Unbound\42registry.42.key"

(Now hypothetically) if cesidianRoot signs all of their 84 TLDs which
are under their authority, with similar/same key, then, do i have to add
84 "trust-anchor-file: "filename" lines ?

Thanks for all of your help on these.