On Tue, 28 Jul 2015, Edward Lewis via Unbound-users wrote:
unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
I am trying to test RFC 5011 capabilities by following these websites:
http://keyroll.systems
and
http://icksk.dnssek.info/fauxroot.html
Goal is to run unbound-anchor as a first step before trying to tune
unbound to either of those experiments.
Have you tried using /etc/hosts entries for data.iana.org pointing to
the others? :)
More seriously, from the man page:
-u name
The server name, it connects to https://name. Specify without
https:// prefix. The default is "data.iana.org". It connects
to the port specified with -P. You can pass an IPv4 addres or
IPv6 address (no brackets) if you want.
-x path
The pathname to the root-anchors.xml file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.xml.
-s path
The pathname to the root-anchors.p7s file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.p7s.
This file has to be a PKCS7 signature over the xml file, using
the pem file (-c) as trust anchor.
Paul
