[thirdparty/systemd.git] / man / dnssec-trust-anchors.d.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="dnssec-trust-anchors.d" conditional='ENABLE_RESOLVE'
    xmlns:xi="http://www.w3.org/2001/XInclude">
  <refentryinfo>
    <title>dnssec-trust-anchors.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>dnssec-trust-anchors.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>dnssec-trust-anchors.d</refname>
    <refname>systemd.positive</refname>
    <refname>systemd.negative</refname>
    <refpurpose>DNSSEC trust anchor configuration files</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/dnssec-trust-anchors.d/*.positive</filename></para>
    <para><filename>/run/dnssec-trust-anchors.d/*.positive</filename></para>
    <para><filename>/usr/lib/dnssec-trust-anchors.d/*.positive</filename></para>
    <para><filename>/etc/dnssec-trust-anchors.d/*.negative</filename></para>
    <para><filename>/run/dnssec-trust-anchors.d/*.negative</filename></para>
    <para><filename>/usr/lib/dnssec-trust-anchors.d/*.negative</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The DNSSEC trust anchor configuration files define positive
    and negative trust anchors
    <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    bases DNSSEC integrity proofs on.</para>
  </refsect1>

  <refsect1>
    <title>Positive Trust Anchors</title>

    <para>Positive trust anchor configuration files contain <constant class='dns'>DNSKEY</constant> and
    <constant class='dns'>DS</constant> resource record definitions to use as base for DNSSEC integrity
    proofs. See <ulink url="https://tools.ietf.org/html/rfc4035#section-4.4">RFC 4035, Section 4.4</ulink>
    for more information about DNSSEC trust anchors.</para>

    <para>Positive trust anchors are read from files with the suffix
    <filename>.positive</filename> located in
    <filename>/etc/dnssec-trust-anchors.d/</filename>,
    <filename>/run/dnssec-trust-anchors.d/</filename> and
    <filename>/usr/lib/dnssec-trust-anchors.d/</filename>. These
    directories are searched in the specified order, and a trust
    anchor file of the same name in an earlier path overrides a trust
    anchor files in a later path. To disable a trust anchor file
    shipped in <filename>/usr/lib/dnssec-trust-anchors.d/</filename>
    it is sufficient to provide an identically-named file in
    <filename>/etc/dnssec-trust-anchors.d/</filename> or
    <filename>/run/dnssec-trust-anchors.d/</filename> that is either
    empty or a symlink to <filename>/dev/null</filename> ("masked").</para>

    <para>Positive trust anchor files are simple text files resembling DNS zone files, as documented in
    <ulink url="https://tools.ietf.org/html/rfc1035#section-5">RFC 1035, Section 5</ulink>. One <constant
    class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> resource record may be listed per
    line. Empty lines and lines starting with <literal>#</literal> or <literal>;</literal> are ignored, which
    may be used for commenting. A <consant class='dns'>DS</consant> resource record is specified like in the
    following example:</para>

    <programlisting>. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5</programlisting>

    <para>The first word specifies the domain, use
    <literal>.</literal> for the root domain. The domain may be
    specified with or without trailing dot, which is considered
    equivalent. The second word must be <literal>IN</literal> the
    third word <literal>DS</literal>. The following words specify the
    key tag, signature algorithm, digest algorithm, followed by the
    hex-encoded key fingerprint. See <ulink
    url="https://tools.ietf.org/html/rfc4034#section-5">RFC 4034,
    Section 5</ulink> for details about the precise syntax and meaning
    of these fields.</para>

    <para>Alternatively, <constant class='dns'>DNSKEY</constant> resource records may be used to define trust
    anchors, like in the following example:</para>

    <programlisting>. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=</programlisting>

    <para>The first word specifies the domain again, the second word must be <literal>IN</literal>, followed
    by <literal>DNSKEY</literal>. The subsequent words encode the <constant class='dns'>DNSKEY</constant>
    flags, protocol and algorithm fields, followed by the key data encoded in Base64. See <ulink
    url="https://tools.ietf.org/html/rfc4034#section-2">RFC 4034, Section 2</ulink> for details about the
    precise syntax and meaning of these fields.</para>

    <para>If multiple <constant class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> records
    are defined for the same domain (possibly even in different trust anchor files), all keys are used and
    are considered equivalent as base for DNSSEC proofs.</para>

    <para>Note that <filename>systemd-resolved</filename> will
    automatically use a built-in trust anchor key for the Internet
    root domain if no positive trust anchors are defined for the root
    domain. In most cases it is hence unnecessary to define an
    explicit key with trust anchor files. The built-in key is disabled
    as soon as at least one trust anchor key for the root domain is
    defined in trust anchor files.</para>

    <para>It is generally recommended to encode trust anchors in <constant class='dns'>DS</constant> resource
    records, rather than <constant class='dns'>DNSKEY</constant> resource records.</para>

    <para>If a trust anchor specified via a <constant class='dns'>DS</constant> record is found revoked it is
    automatically removed from the trust anchor database for the runtime. See <ulink
    url="https://tools.ietf.org/html/rfc5011">RFC 5011</ulink> for details about revoked trust anchors. Note
    that <filename>systemd-resolved</filename> will not update its trust anchor database from DNS servers
    automatically. Instead, it is recommended to update the resolver software or update the new trust anchor
    via adding in new trust anchor files.</para>

    <para>The current DNSSEC trust anchor for the Internet's root
    domain is available at the <ulink
    url="https://data.iana.org/root-anchors/root-anchors.xml">IANA
    Trust Anchor and Keys</ulink> page.</para>
  </refsect1>

  <refsect1>
    <title>Negative Trust Anchors</title>

    <para>Negative trust anchors define domains where DNSSEC validation shall be turned
    off. Negative trust anchor files are found at the same location as positive trust anchor files,
    and follow the same overriding rules. They are text files with the
    <filename>.negative</filename> suffix. Empty lines and lines whose first character is
    <literal>;</literal> are ignored. Each line specifies one domain name which is the root of a DNS
    subtree where validation shall be disabled. For example:</para>

    <programlisting># Reverse IPv4 mappings
10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
...
# Some custom domains
prod
stag
</programlisting>

    <para>Negative trust anchors are useful to support private DNS
    subtrees that are not referenced from the Internet DNS hierarchy,
    and not signed.</para>

    <para><ulink url="https://tools.ietf.org/html/rfc7646">RFC
    7646</ulink> for details on negative trust anchors.</para>

    <para>If no negative trust anchor files are configured a built-in
    set of well-known private DNS zone domains is used as negative
    trust anchors.</para>

    <para>It is also possibly to define per-interface negative trust
    anchors using the <varname>DNSSECNegativeTrustAnchors=</varname>
    setting in
    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    files.</para>
  </refsect1>

  <refsect1>
      <title>See Also</title>
      <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
      </para>
  </refsect1>

</refentry>
Commit	Line	Data
514094f9	1	<?xml version='1.0'?>
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
b5a8703f	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
b5a8703f	5
1ec57f33	6	<refentry id="dnssec-trust-anchors.d" conditional='ENABLE_RESOLVE'
b5a8703f LP	7	xmlns:xi="http://www.w3.org/2001/XInclude">
	8	<refentryinfo>
	9	<title>dnssec-trust-anchors.d</title>
	10	<productname>systemd</productname>
b5a8703f LP	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>dnssec-trust-anchors.d</refentrytitle>
	15	<manvolnum>5</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>dnssec-trust-anchors.d</refname>
	20	<refname>systemd.positive</refname>
	21	<refname>systemd.negative</refname>
	22	<refpurpose>DNSSEC trust anchor configuration files</refpurpose>
	23	</refnamediv>
	24
	25	<refsynopsisdiv>
	26	<para><filename>/etc/dnssec-trust-anchors.d/*.positive</filename></para>
	27	<para><filename>/run/dnssec-trust-anchors.d/*.positive</filename></para>
	28	<para><filename>/usr/lib/dnssec-trust-anchors.d/*.positive</filename></para>
	29	<para><filename>/etc/dnssec-trust-anchors.d/*.negative</filename></para>
	30	<para><filename>/run/dnssec-trust-anchors.d/*.negative</filename></para>
	31	<para><filename>/usr/lib/dnssec-trust-anchors.d/*.negative</filename></para>
	32	</refsynopsisdiv>
	33
	34	<refsect1>
	35	<title>Description</title>
	36
	37	<para>The DNSSEC trust anchor configuration files define positive
	38	and negative trust anchors
	39	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	40	bases DNSSEC integrity proofs on.</para>
	41	</refsect1>
	42
	43	<refsect1>
	44	<title>Positive Trust Anchors</title>
	45
9a024bf1 ZJS	46	<para>Positive trust anchor configuration files contain <constant class='dns'>DNSKEY</constant> and
	47	<constant class='dns'>DS</constant> resource record definitions to use as base for DNSSEC integrity
	48	proofs. See <ulink url="https://tools.ietf.org/html/rfc4035#section-4.4">RFC 4035, Section 4.4</ulink>
	49	for more information about DNSSEC trust anchors.</para>
b5a8703f LP	50
	51	<para>Positive trust anchors are read from files with the suffix
	52	<filename>.positive</filename> located in
	53	<filename>/etc/dnssec-trust-anchors.d/</filename>,
	54	<filename>/run/dnssec-trust-anchors.d/</filename> and
	55	<filename>/usr/lib/dnssec-trust-anchors.d/</filename>. These
	56	directories are searched in the specified order, and a trust
	57	anchor file of the same name in an earlier path overrides a trust
	58	anchor files in a later path. To disable a trust anchor file
	59	shipped in <filename>/usr/lib/dnssec-trust-anchors.d/</filename>
	60	it is sufficient to provide an identically-named file in
	61	<filename>/etc/dnssec-trust-anchors.d/</filename> or
	62	<filename>/run/dnssec-trust-anchors.d/</filename> that is either
	63	empty or a symlink to <filename>/dev/null</filename> ("masked").</para>
	64
0b497bc4	65	<para>Positive trust anchor files are simple text files resembling DNS zone files, as documented in
9a024bf1 ZJS	66	<ulink url="https://tools.ietf.org/html/rfc1035#section-5">RFC 1035, Section 5</ulink>. One <constant
	67	class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> resource record may be listed per
	68	line. Empty lines and lines starting with <literal>#</literal> or <literal>;</literal> are ignored, which
	69	may be used for commenting. A <consant class='dns'>DS</consant> resource record is specified like in the
	70	following example:</para>
b5a8703f LP	71
	72	<programlisting>. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5</programlisting>
	73
	74	<para>The first word specifies the domain, use
	75	<literal>.</literal> for the root domain. The domain may be
	76	specified with or without trailing dot, which is considered
	77	equivalent. The second word must be <literal>IN</literal> the
	78	third word <literal>DS</literal>. The following words specify the
	79	key tag, signature algorithm, digest algorithm, followed by the
	80	hex-encoded key fingerprint. See <ulink
	81	url="https://tools.ietf.org/html/rfc4034#section-5">RFC 4034,
	82	Section 5</ulink> for details about the precise syntax and meaning
	83	of these fields.</para>
	84
9a024bf1 ZJS	85	<para>Alternatively, <constant class='dns'>DNSKEY</constant> resource records may be used to define trust
9a024bf1 ZJS	86	anchors, like in the following example:</para>
b5a8703f LP	87
	88	<programlisting>. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=</programlisting>
	89
9a024bf1 ZJS	90	<para>The first word specifies the domain again, the second word must be <literal>IN</literal>, followed
	91	by <literal>DNSKEY</literal>. The subsequent words encode the <constant class='dns'>DNSKEY</constant>
	92	flags, protocol and algorithm fields, followed by the key data encoded in Base64. See <ulink
	93	url="https://tools.ietf.org/html/rfc4034#section-2">RFC 4034, Section 2</ulink> for details about the
	94	precise syntax and meaning of these fields.</para>
b5a8703f	95
9a024bf1 ZJS	96	<para>If multiple <constant class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> records
	97	are defined for the same domain (possibly even in different trust anchor files), all keys are used and
	98	are considered equivalent as base for DNSSEC proofs.</para>
b5a8703f LP	99
	100	<para>Note that <filename>systemd-resolved</filename> will
	101	automatically use a built-in trust anchor key for the Internet
	102	root domain if no positive trust anchors are defined for the root
	103	domain. In most cases it is hence unnecessary to define an
	104	explicit key with trust anchor files. The built-in key is disabled
	105	as soon as at least one trust anchor key for the root domain is
	106	defined in trust anchor files.</para>
	107
9a024bf1 ZJS	108	<para>It is generally recommended to encode trust anchors in <constant class='dns'>DS</constant> resource
	109	records, rather than <constant class='dns'>DNSKEY</constant> resource records.</para>
	110
	111	<para>If a trust anchor specified via a <constant class='dns'>DS</constant> record is found revoked it is
	112	automatically removed from the trust anchor database for the runtime. See <ulink
	113	url="https://tools.ietf.org/html/rfc5011">RFC 5011</ulink> for details about revoked trust anchors. Note
	114	that <filename>systemd-resolved</filename> will not update its trust anchor database from DNS servers
	115	automatically. Instead, it is recommended to update the resolver software or update the new trust anchor
	116	via adding in new trust anchor files.</para>
b5a8703f LP	117
b5a8703f LP	118	<para>The current DNSSEC trust anchor for the Internet's root
b8e1d4d1	119	domain is available at the <ulink
b5a8703f LP	120	url="https://data.iana.org/root-anchors/root-anchors.xml">IANA
	121	Trust Anchor and Keys</ulink> page.</para>
	122	</refsect1>
	123
	124	<refsect1>
	125	<title>Negative Trust Anchors</title>
	126
e788ef48 ZJS	127	<para>Negative trust anchors define domains where DNSSEC validation shall be turned
	128	off. Negative trust anchor files are found at the same location as positive trust anchor files,
	129	and follow the same overriding rules. They are text files with the
	130	<filename>.negative</filename> suffix. Empty lines and lines whose first character is
	131	<literal>;</literal> are ignored. Each line specifies one domain name which is the root of a DNS
2c91906e ZJS	132	subtree where validation shall be disabled. For example:</para>
	133
	134	<programlisting># Reverse IPv4 mappings
	135	10.in-addr.arpa
	136	16.172.in-addr.arpa
	137	168.192.in-addr.arpa
	138	...
	139	# Some custom domains
	140	prod
	141	stag
	142	</programlisting>
b5a8703f LP	143
	144	<para>Negative trust anchors are useful to support private DNS
	145	subtrees that are not referenced from the Internet DNS hierarchy,
	146	and not signed.</para>
	147
	148	<para><ulink url="https://tools.ietf.org/html/rfc7646">RFC
	149	7646</ulink> for details on negative trust anchors.</para>
30c77809 LP	150
	151	<para>If no negative trust anchor files are configured a built-in
	152	set of well-known private DNS zone domains is used as negative
	153	trust anchors.</para>
8a516214 LP	154
	155	<para>It is also possibly to define per-interface negative trust
	156	anchors using the <varname>DNSSECNegativeTrustAnchors=</varname>
	157	setting in
	158	<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	159	files.</para>
b5a8703f LP	160	</refsect1>
	161
	162	<refsect1>
	163	<title>See Also</title>
	164	<para>
	165	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	166	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
8a516214 LP	167	<citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
8a516214 LP	168	<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
b5a8703f LP	169	</para>
	170	</refsect1>
	171
	172	</refentry>