You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2020-02-09 18:40:37
- skyvell
- Member
- Registered: 2017-03-10
- Posts: 12
DNSSEC with unbound
I'm setting up DNSSEC by following the arch wiki instructions in https://wiki.archlinux.org/index.php/un … validation.
But when I open the config file I get other instructions (pasted below). Which instructions should I follow and why?
In unbound config file:
.....
# Note this gets out of date, use auto-trust-anchor-file please.
trust-anchor-file: trusted-key.key
Last edited by skyvell (2020-02-09 18:51:26)
Offline
#2 2020-02-13 16:03:16
- RoundCube
- Member
- Registered: 2016-05-14
- Posts: 42
Re: DNSSEC with unbound
There's 2 ways to do it.
Using trust-anchor-file: this will use the key file provided by the package dnssec-anchors – the arch devs are responsible to keep it updated.
Using auto-trust-anchor-file: unbound by itself checks whether there is a newer one, and creates the key file. It needs write permissions for the directory where the key file is.
Have a look at man unbound.conf for the official documentation.
Debian uses by default:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
where both the directory and file belong to user/group unbound with permission mode 655.
Offline
#3 2020-02-13 17:47:12
- jonnybarnes
- Member
- From: Manchester, UK
- Registered: 2011-05-11
- Posts: 129
- Website
Re: DNSSEC with unbound
If you look at the hook script in the package, any time unbound is updated, the trusted-key file is updated too: https://git.archlinux.org/svntogit/comm … es/unbound
Offline
Pages: 1