You are not logged in.

#1 2020-02-09 18:40:37

Registered: 2017-03-10
Posts: 10

DNSSEC with unbound

I'm setting up DNSSEC by following the arch wiki instructions in … validation.
But when I open the config file I get other instructions (pasted below). Which instructions should I follow and why?

In unbound config file:
    # Note this gets out of date, use auto-trust-anchor-file please.
    trust-anchor-file: trusted-key.key

Last edited by skyvell (2020-02-09 18:51:26)


#2 2020-02-13 16:03:16

Registered: 2016-05-14
Posts: 36

Re: DNSSEC with unbound

There's 2 ways to do it.

Using trust-anchor-file: this will use the key file provided by the package dnssec-anchors – the arch devs are responsible to keep it updated.

Using auto-trust-anchor-file: unbound by itself checks whether there is a newer one, and creates the key file. It needs write permissions for the directory where the key file is.

Have a look at man unbound.conf for the official documentation.

Debian uses by default:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
where both the directory and file belong to user/group unbound with permission mode 655.


#3 2020-02-13 17:47:12

From: Manchester, UK
Registered: 2011-05-11
Posts: 127

Re: DNSSEC with unbound

If you look at the hook script in the package, any time unbound is updated, the trusted-key file is updated too: … es/unbound


Board footer

Powered by FluxBB