I'm compiling a list of commands to check the trust anchors of a
resolver (for the Day of Doom 11 october) like 'rndc managed-keys
status' for BIND.
With Unbound, the only solution I find is to cat the trust anchor
file, which is less convenient, since its location is
system-dependent.
Any way to do it with unbound-control? (I swear I've read the FM
before.)
[willem@bela ~]$ dig @localhost trustanchor.unbound. TXT CH +short
". 19036 20326"
"2018-08-12.automated-ksk-test.research.icann.org. 3934"
a message of 17 lines which said:
[willem@bela ~]$ dig @localhost trustanchor.unbound. TXT CH +short
". 19036 20326"
"2018-08-12.automated-ksk-test.research.icann.org. 3934"
Thanks, but it seems to work with very recent Unbounds only (the one
in Debian stable, or the one in Ubuntu LTS reply REFUSED).
Stephane Bortzmeyer via Unbound-users writes:
> Thanks, but it seems to work with very recent Unbounds only (the one
> in Debian stable, or the one in Ubuntu LTS reply REFUSED).
Unbound 1.6.2, 24 april 2017:
Add trustanchor.unbound CH TXT that gets a response with a number of
TXT RRs with a string like "example.com. 2345 1234" with the trust
anchors and their keytags.
Stephane,
On September 5 2017, we’ve published https://www.icann.org/dns-resolvers-checking-current-trust-anchors
If this is incomplete, please let us know.
Thanks,
-dc
a message of 161 lines which said:
On September 5 2017, we’ve published
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
Thanks, I did not notice it. Very useful.
If this is incomplete, please let us know.
The advice for Unbound is not perfect. It says "Look in the root.key
file in Unbound's configuration directory, which is usually
/etc/unbound." A Debian default installation, for instance, does not
put the TA file there (/etc/unbound is not writable, which prevents
RFC 5011 to work). I would suggest "Look in the trust anchors file. It
is indicated in Unbound's configuration file(s), which location depend
on your operating system. In the configuratin file(s), search
directives trust-anchor-file or auto-trust-anchor-file, then display
the indicated trust anchor file."
For Knot Resolver, the keys file indicate the key tag, so it is not
necessary to check the entire key. Here is an example (this Knot
installation does not use the ICANN root):
root@turris:/etc/kresd# cat root.keys
. 3600 DNSKEY 257 3 8 AwEAAdZZqL65TA/kHkLq1+ON5eQYm9PUBgV5UQbPcQtRAXbad1l6m6R0iJIg46IiyFyUkEh+H7Z9/oPNnkM9zub2TjFiNVZUSnpyWtPqVD5nHrhUOdS3yW/AXpZuNJ3zX9XDXUpiEnfTPOMrUiZppP1fqx/jnAC9YDLs4K26ocoDyQp+umu+eOrP/TOacRag+9r9NiQzsVuXHQnCwpPY4NwlA7QRaOOjBiI9tNEDD2khVE7Yy5c/sZYirlTOTEBbXkd9l9WVqRgEO+ikb8GMg7hgOddvqj7ItBZvBUACQc3c0OqaLnEZx6CwIQpjxpPPYdyiEdKSwHGH3V3TfS+AEQlW8uk= ; Valid: ; KeyTag:59302
Also, Knot has an useful console, so you may instead type
'trust_anchors.keysets' in the console.
trust_anchors.keysets
[\0] => {
[1] => {
[owner] => \0
[key_tag] => 59302
[comment] => Valid: ; KeyTag:59302
[class] => 1
[state] => Valid
[rdata] => \1\1\3\8\3\1\0\1\214Y\168\190\185L\15\228\30B\234\215\227\141\229\228\24\155\211\212\6\5yQ\6\207q\11Q\1v\218wYz\155\164t\136\146 \227\162...
[ttl] => 3600
[type] => 48
}
[filename] => /etc/kresd/root.keys
[refresh_ev] => 10
[owner] => \0
}