On Tue, 28 Jul 2015, Edward Lewis via Unbound-users wrote:
unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org. I am trying to test RFC 5011 capabilities by following these websites: http://keyroll.systems and http://icksk.dnssek.info/fauxroot.html Goal is to run unbound-anchor as a first step before trying to tune unbound to either of those experiments.
Have you tried using /etc/hosts entries for data.iana.org pointing to the others? :) More seriously, from the man page: -u name The server name, it connects to https://name. Specify without https:// prefix. The default is "data.iana.org". It connects to the port specified with -P. You can pass an IPv4 addres or IPv6 address (no brackets) if you want. -x path The pathname to the root-anchors.xml file on the server. (forms URL with -u). The default is /root-anchors/root-anchors.xml. -s path The pathname to the root-anchors.p7s file on the server. (forms URL with -u). The default is /root-anchors/root-anchors.p7s. This file has to be a PKCS7 signature over the xml file, using the pem file (-c) as trust anchor. Paul