From: Wouter Wijngaards Date: Thu, 19 Aug 2010 19:16:03 +0000 (+0000) Subject: - example.conf notes how to do DNSSEC validation and track the root. X-Git-Tag: release-1.4.7rc1~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b406bc70a6450d685d7eb90db8712152496af64;p=thirdparty%2Funbound.git - example.conf notes how to do DNSSEC validation and track the root. git-svn-id: file:///svn/unbound/trunk@2220 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 65debe196..9b41c7813 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20. Delegpt structures checked for duplicates always. No more nameserver lookups generated when depth is full anyway. + - example.conf notes how to do DNSSEC validation and track the root. 18 August 2010: Wouter - Fix bug#322: configure does not respect CFLAGS on Solaris. diff --git a/doc/example.conf.in b/doc/example.conf.in index ae5556e78..1e3af9504 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -305,6 +305,18 @@ server: # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # To do DNSSEC validation and track the root, initialize the + # file @UNBOUND_RUN_DIR@/root.key + # (the echo statement goes on one line) + # echo . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 > @UNBOUND_RUN_DIR@/root.key + # or: dig . DNSKEY > @UNBOUND_RUN_DIR@/root.key + # You can verify it via https://www.iana.org/dnssec or TCR attestation. + # auto-trust-anchor-file: "@UNBOUND_RUN_DIR@/root.key" + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key @@ -313,15 +325,12 @@ server: # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. # trust-anchor-file: "" - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # auto-trust-anchor-file: "" - # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. # (These examples are from August 2007 and may not be valid anymore). # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" @@ -330,6 +339,7 @@ server: # with several entries, one file per entry. Like trust-anchor-file # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. # trusted-keys-file: "" # Ignore chain of trust. Domain is treated as insecure.