Hi,
On 26/07/18 16:15, ѽ҉ᶬḳ℠ via Unbound-users wrote: > Hi, > > to my understanding it is feasible to have DNSSEC served for private > zones in stub-zone, requiring a trusted key entry with the public key > in config - that would be trough > trusted-keys-file: <, right? trusted-keys-file reads the BIND syntax for a key statement, but not the managed 'db' file that has internal BIND stuff for key rotation. trust-anchor-file is easy: just copy and paste the DNSKEY or DS records in there. Like, grep DNSKEY example.com.zone > example.com.key auto-trust-anchor-file enables RFC5011 rotation and keeps track if the keys are rotated (like, for the root zone that is important). You can start the auto-trust-anchor-file rotation by providing a file like for trust-anchor-file: a plain text file with DNSKEY or DS records in there. By default chroot is enabled; chroot: "" disables the use of chroot. Best regards, Wouter > > Since the authoritative server being Bind 9.13.0 I thought it would make > sense to utilize its zone file straight away for unbound as > > trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting > > /etc/unbound/var/named/mail.db: No such file or directory > [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file: > "/var/named/mail.db" does not exist in chrootdir /etc/unbound > > There is no chroot directive in the unbound conf however...
