Skip to content

Generate per-domain trust anchors files

Unbound's option auto-trust-anchor-file and kresd's function trust_anchors.add_file() do not support mixing trust anchors for multiple domains in one file.

For this reason trust anchors for multiple domains using Deckard's option trust-anchor: does not work with these options. This prevents RFC 5011 testing.

Example: Deckard 's trust-anchor: option with two anchors for domain a. and one anchor for domain b. generate following trust anchors file:

a. 172800  DNSKEY  257 3 8 bla=
a. 172800  DNSKEY  257 3 8 ble=
b. 172800  DNSKEY  257 3 8 bleh=

File with this content is not acceptable because it mixes several domains in one file.

We need a mechanism to create separate trust anchor file for each domain. The file should contain all trust anchors for given domain. Set of trust anchors from above should be translated to files approximatelly like this:

File a.keys:

a. 172800  DNSKEY  257 3 8 bla=
a. 172800  DNSKEY  257 3 8 ble=

File b.keys:

b. 172800  DNSKEY  257 3 8 bleh=

Notes:

  • Names of generated files must be be available in a Jinja2 variable so they can be referenced from template.
  • Beware: domain names have special comparison rules, use dns.name.Name objects for comparison (i.e. do not compare names as strings)
Edited by Štěpán Kotek
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information