[Unbound-users] About trust-anchor-files
paul at xelerance.com
Tue Feb 17 17:23:47 CET 2009
On Tue, 17 Feb 2009, JB wrote:
> In my unbound.conf I have:
> trust-anchor-file: "/usr/local/etc/unbound/ancoras/br.anchor"
> But I saw in Chris Griffiths message:
> trust-anchor-file: "/etc/unbound/anchors/br.anchor"
> trust-anchor-file: "/etc/unbound/anchors/se.anchor"
> trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
> trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
> trust-anchor-file: "/etc/unbound/anchors/cz.anchor"
> My question is about how many trusted keys for validation must I use? And, if
> I manage about 200 domains, must I take care about them in my recursive
> servers, including its trusted keys? Are there security additional advantage
> to take care in anchor .br, .se, .bg and so on?
Until the root is signed, and if you don't want to use DLV for those queries,
To make it easier, I wrote "dnssec-conf":
If you're on Fedora/RHEL/Centos, do:
yum install dnssec-conf
dnssec-configure -u --dnssec=on --dlv=on --production
You will find all the keys in /etc/pki/dnssec-keys/
See further: man dnssec-configure, man dnskey-pull
More information about the Unbound-users