Maintained by: NLnet Labs

Using unbound-anchor for non-default trust anchor

Paul Wouters
Tue Jul 28 18:12:21 CEST 2015


On Tue, 28 Jul 2015, Edward Lewis via Unbound-users wrote:

> unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
>
> I am trying to test RFC 5011 capabilities by following these websites:
>
> http://keyroll.systems
> and
> http://icksk.dnssek.info/fauxroot.html
>
> Goal is to run unbound-anchor as a first step before trying to tune
> unbound to either of those experiments.

Have you tried using /etc/hosts entries for data.iana.org pointing to
the others? :)

More seriously, from the man page:

        -u name
               The  server  name, it connects to https://name.  Specify without
               https:// prefix.  The default is "data.iana.org".   It connects
               to  the  port specified with -P.  You can pass an IPv4 addres or
               IPv6 address (no brackets) if you want.

        -x path
               The pathname to the root-anchors.xml file on the server.  (forms
               URL with -u).  The default is /root-anchors/root-anchors.xml.

        -s path
               The  pathname to the root-anchors.p7s file on the server.  (forms
               URL with -u).  The  default  is /root-anchors/root-anchors.p7s.
               This  file  has to be a PKCS7 signature over the xml file, using
               the pem file (-c) as trust anchor.

Paul