From: Wouter Wijngaards Date: Thu, 1 Sep 2016 07:08:22 +0000 (+0000) Subject: - RFC 7958 is now out, updated docs for unbound-anchor. X-Git-Tag: release-1.5.10~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a03a3d1d55b876419c36b4926ea4a387349d6aba;p=thirdparty%2Funbound.git - RFC 7958 is now out, updated docs for unbound-anchor. git-svn-id: file:///svn/unbound/trunk@3839 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index ae122903b..33587cda5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,4 +1,7 @@ -29 August 2016: Ralph +1 September 2016: Wouter + - RFC 7958 is now out, updated docs for unbound-anchor. + +29 August 2016: Wouter - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior. - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e. diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 3d743a734..5f17b614c 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -16,6 +16,8 @@ .SH "DESCRIPTION" .B Unbound\-anchor performs setup or update of the root trust anchor for DNSSEC validation. +The program fetches the trust anchor with the method from RFC7958 when +regular RFC5011 update fails to bring it up to date. It can be run (as root) from the commandline, or run as part of startup scripts. Before you start the \fIunbound\fR(8) DNS server. .P @@ -39,8 +41,8 @@ update certificate files. .P It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results, if -all checks are successful, it updates the root anchor file. Otherwise +It performs a https fetch of root-anchors.xml and checks the results (RFC7958), +if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. .P diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index b3bba6c24..756fcf7f0 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -37,7 +37,8 @@ * \file * * This file checks to see that the current 5011 keys work to prime the - * current root anchor. If not a certificate is used to update the anchor. + * current root anchor. If not a certificate is used to update the anchor, + * with RFC7958 https xml fetch. * * This is a concept solution for distribution of the DNSSEC root * trust anchor. It is a small tool, called "unbound-anchor", that @@ -47,7 +48,7 @@ * Management-Abstract: * * first run: fill root.key file with hardcoded DS record. * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. - * * failover: use builtin certificate, do https and update. + * * failover: use RFC7958 builtin certificate, do https and update. * Special considerations: * * 30-days RFC5011 timer saves a lot of https traffic. * * DNSKEY probe must be NOERROR, saves a lot of https traffic. @@ -77,7 +78,7 @@ * the file contains a list of normal DNSKEY/DS records, and uses that to * bootstrap 5011 (the KSK is made VALID). * - * The certificate update is done by fetching root-anchors.xml and + * The certificate RFC7958 update is done by fetching root-anchors.xml and * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is * not validated (https for channel security; the security comes from the * certificate). The 'data.iana.org' domain name A and AAAA are resolved