Hello,
I'm running Unbound as a local resolver for clients. I also have a few zones, forward and reverse, maintained locally. The local zones are served by BIND and are all signed using BIND's automated 'dnssec-policy'.
When I set this up I looked at the different ways of getting Unbound to trust the local zones signed by BIND. I decided to use 'trust-anchor-file' since this allows me to just have Unbound read the keys, that BIND created. However, unlike 'trusted-keys-file', which allows globbing, for 'trust-anchor-file' each key needs to be specified separately.
With 'trusted-keys-file' the required format is not readily available. These files need to be created and maintained by hand or script.
I would like to be able to use globbing in 'trust-anchor-file'. That way I could use
trust-anchor-file: "/var/named/keys/*.key"
and be sure all keys maintained by BIND will also be trusted by Unbound.
I'm thinking of tinkering a bit with key rollovers and globbing would allow me not to worry about Unbound except for maybe an occasional 'unbound-control reload'.
Are there any other users that would find globbing in 'trust-anchor-file' useful? Or are there other/better ways going about it?
-- Sandro