>>>> You can start the auto-trust-anchor-file rotation by providing a file >>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records >>>> in there. >>>> >>>> >> I tried this with (in conf) >> >> auto-trust-anchor-file: "/etc/unbound/trusted-key.key" >> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key" >> >> And the latter reading (copied from the BIND-9 zone file) >> >> mail. 1d IN DS 22205 14 1 >> 0FFE136DCCCFD7879D350A62610193ADA5F18111 >> mail. 1d IN DS 22205 14 2 >> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA >> >> and as variation >> >> mail. 1d IN DNSKEY 22205 14 1 >> 0FFE136DCCCFD7879D350A62610193ADA5F18111 >> mail. 1d IN DNSKEY 22205 14 2 >> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA >> >> but either way unbound is reporting the below and I do not understand >> what the issue (anchor cannot be with and without autotrust) is? >> >> error: anchor cannot be with and without autotrust >> error: failed to load trust anchor from >> /etc/unbound/mail-trusted-key.key at line 1, skipping >> error: anchor cannot be with and without autotrust >> error: failed to load trust anchor from >> /etc/unbound/mail-trusted-key.key at line 2, skipping >> error: failed to read /etc/unbound/mail-trusted-key.key >> error: error reading auto-trust-anchor-file: >> /etc/unbound/mail-trusted-key.key >> error: validator: error in trustanchors config >> error: validator: could not apply configuration settings. >> fatal error: bad config for validator module > Looking at autotrust.c seems to be expecting a certain (NSD?) anchor > structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if > not met throwing the error. > I am no coder and cannot make sense of > > if(tp) { > if(!tp->autr) { > log_err("anchor cannot be with and without autotrust"); > lock_basic_unlock(&tp->lock); > return NULL; > } > > The BIND-9 zone file does only provide the aforementioned. Has to be > anything to be done with it to make it compliant with the anchor > structure required by unbound? > >
after a [ dig dnskey ] of the zone amended "/etc/unbound/mail-trusted-key.key" to mail. 86156 IN DNSKEY 257 3 14 cFLtBucj9d4f4Yu2S4ATAyj3VElBcDAukQdQaG+Kv47VV+932dU7VZlq Onl8VKBYU/Z6gRvGYGmkl3bGtaqdcqyjoMWYoXgku+SqMMpZVPHvWqLx ymR1B8+DZ96lXvkW mail. 86156 IN DNSKEY 256 3 14 lWTX1MIw/HqcBk7nHwAmMvHnlvAVF8L0BZb9Foqi6BiS8qJIDu6j3tP8 ggjkkU2/ISCmJ0Ue1MGQd5jEwT5fKJ1mtESlqYawGODGWmNb8L/wamlQ NVH9QHWav9qfgvc1 but the [ error: anchor cannot be with and without autotrust ] just keeps on popping up. Am I doing something wrong or is this a bug in unbound?