You are not logged in.

#1 2020-02-09 18:40:37

skyvell
Member
Registered: 2017-03-10
Posts: 10

DNSSEC with unbound

I'm setting up DNSSEC by following the arch wiki instructions in https://wiki.archlinux.org/index.php/un … validation.
But when I open the config file I get other instructions (pasted below). Which instructions should I follow and why?

In unbound config file:
     .....
    # Note this gets out of date, use auto-trust-anchor-file please.
    trust-anchor-file: trusted-key.key

Last edited by skyvell (2020-02-09 18:51:26)

Offline

#2 2020-02-13 16:03:16

RoundCube
Member
Registered: 2016-05-14
Posts: 38

Re: DNSSEC with unbound

There's 2 ways to do it.

Using trust-anchor-file: this will use the key file provided by the package dnssec-anchors – the arch devs are responsible to keep it updated.

Using auto-trust-anchor-file: unbound by itself checks whether there is a newer one, and creates the key file. It needs write permissions for the directory where the key file is.

Have a look at man unbound.conf for the official documentation.

Debian uses by default:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
where both the directory and file belong to user/group unbound with permission mode 655.

Offline

#3 2020-02-13 17:47:12

jonnybarnes
Member
From: Manchester, UK
Registered: 2011-05-11
Posts: 127
Website

Re: DNSSEC with unbound

If you look at the hook script in the package, any time unbound is updated, the trusted-key file is updated too: https://git.archlinux.org/svntogit/comm … es/unbound

Offline

Board footer

Powered by FluxBB