Maintained by: NLnet Labs

[Unbound-users] How to define a root "ceiling" with validating client resolvers

Paul Wouters
Tue Oct 23 00:19:16 CEST 2012


On Mon, 22 Oct 2012, Keith Kaple wrote:

> I'm new to the API for client resolvers using libunbound and am setting up a lab that will have many subdomains.
>
> An example: big.red.liar.lab.cisco.com
>
> I am only authoritative and can only control signing zones at 'lab' and below.  So I just want to define that level to be the root domain and stop verification of DS records as if lab.cisco.com was the root zone because the next level up will not have a DS record for me.  What is a good practice for doing this with libunbound?

You can just load a trust anchor for "lab.cisco.com" using ub_ctx_add_ta()
See man page for it for details. That will "override" the lack of trust
anchors above it.

For more details, see slide 25 atL

http://people.redhat.com/pwouters/LinuxCon2012-DNSSEC.pdf

Paul