1unbound-anchor(8) unbound 1.4.20 unbound-anchor(8)
2
3
4
6 unbound-anchor - Unbound anchor utility.
7
9 unbound-anchor [opts]
10
12 Unbound-anchor performs setup or update of the root trust anchor for
13 DNSSEC validation. It can be run (as root) from the commandline, or
14 run as part of startup scripts. Before you start the unbound(8) DNS
15 server.
16
17 Suggested usage:
18
19 # in the init scripts.
20 # provide or update the root anchor (if necessary)
21 unbound-anchor -a "/var/lib/unbound/root.key"
22 # Please note usage of this root anchor is at your own risk
23 # and under the terms of our LICENSE (see source).
24 #
25 # start validating resolver
26 # the unbound.conf contains:
27 # auto-trust-anchor-file: "/var/lib/unbound/root.key"
28 unbound -c unbound.conf
29
30 This tool provides builtin default contents for the root anchor and
31 root update certificate files.
32
33 It tests if the root anchor file works, and if not, and an update is
34 possible, attempts to update the root anchor using the root update cer‐
35 tificate. It performs a https fetch of root-anchors.xml and checks the
36 results, if all checks are successful, it updates the root anchor file.
37 Otherwise the root anchor file is unchanged. It performs RFC5011
38 tracking if the DNSSEC information available via the DNS makes that
39 possible.
40
41 It does not perform an update if the certificate is expired, if the
42 network is down or other errors occur.
43
44 The available options are:
45
46 -a file
47 The root anchor key file, that is read in and written out.
48 Default is /var/lib/unbound/root.key. If the file does not
49 exist, or is empty, a builtin root key is written to it.
50
51 -c file
52 The root update certificate file, that is read in. Default is
53 /etc/unbound/icannbundle.pem. If the file does not exist, or is
54 empty, a builtin certificate is used.
55
56 -l List the builtin root key and builtin root update certificate on
57 stdout.
58
59 -u name
60 The server name, it connects to https://name. Specify without
61 https:// prefix. The default is "data.iana.org". It connects
62 to the port specified with -P. You can pass an IPv4 addres or
63 IPv6 address (no brackets) if you want.
64
65 -x path
66 The pathname to the root-anchors.xml file on the server. (forms
67 URL with -u). The default is /root-anchors/root-anchors.xml.
68
69 -s path
70 The pathname to the root-anchors.p7s file on the server. (forms
71 URL with -u). The default is /root-anchors/root-anchors.p7s.
72 This file has to be a PKCS7 signature over the xml file, using
73 the pem file (-c) as trust anchor.
74
75 -n name
76 The emailAddress for the Subject of the signer's certificate
77 from the p7s signature file. Only signatures from this name are
78 allowed. default is dnssec@iana.org. If you pass "" then the
79 emailAddress is not checked.
80
81 -4 Use IPv4 for domain resolution and contacting the server on
82 https. Default is to use IPv4 and IPv6 where appropriate.
83
84 -6 Use IPv6 for domain resolution and contacting the server on
85 https. Default is to use IPv4 and IPv6 where appropriate.
86
87 -f resolv.conf
88 Use the given resolv.conf file. Not enabled by default, but you
89 could try to pass /etc/resolv.conf on some systems. It contains
90 the IP addresses of the recursive nameservers to use. However,
91 since this tool could be used to bootstrap that very recursive
92 nameserver, it would not be useful (since that server is not up
93 yet, since we are bootstrapping it). It could be useful in a
94 situation where you know an upstream cache is deployed (and run‐
95 ning) and in captive portal situations.
96
97 -r root.hints
98 Use the given root.hints file (same syntax as the BIND and
99 Unbound root hints file) to bootstrap domain resolution. By
100 default a list of builtin root hints is used. Unbound-anchor
101 goes to the network itself for these roots, to resolve the
102 server (-u option) and to check the root DNSKEY records. It
103 does so, because the tool when used for bootstrapping the recur‐
104 sive resolver, cannot use that recursive resolver itself because
105 it is bootstrapping that server.
106
107 -v More verbose. Once prints informational messages, multiple times
108 may enable large debug amounts (such as full certificates or
109 byte-dumps of downloaded files). By default it prints almost
110 nothing. It also prints nothing on errors by default; in that
111 case the original root anchor file is simply left undisturbed,
112 so that a recursive server can start right after it.
113
114 -C unbound.conf
115 Debug option to read unbound.conf into the resolver process
116 used.
117
118 -P port
119 Set the port number to use for the https connection. The
120 default is 443.
121
122 -F Debug option to force update of the root anchor through down‐
123 loading the xml file and verifying it with the certificate. By
124 default it first tries to update by contacting the DNS, which
125 uses much less bandwidth, is much faster (200 msec not 2 sec),
126 and is nicer to the deployed infrastructure. With this option,
127 it still attempts to do so (and may verbosely tell you), but
128 then ignores the result and goes on to use the xml fallback
129 method.
130
131 -h Show the version and commandline option help.
132
134 This tool exits with value 1 if the root anchor was updated using the
135 certificate or if the builtin root-anchor was used. It exits with code
136 0 if no update was necessary, if the update was possible with RFC5011
137 tracking, or if an error occurred.
138
139 You can check the exit value in this manner:
140 unbound-anchor -a "root.key" || logger "Please check root.key"
141 Or something more suitable for your operational environment.
142
144 The root keys and update certificate included in this tool are provided
145 for convenience and under the terms of our license (see the LICENSE
146 file in the source distribution or http://unbound.nlnet‐
147 labs.nl/svn/trunk/LICENSE) and might be stale or not suitable to your
148 purpose.
149
150 By running "unbound-anchor -l" the keys and certificate that are con‐
151 figured in the code are printed for your convenience.
152
153 The build-in configuration can be overridden by providing a root-cert
154 file and a rootkey file.
155
157 /var/lib/unbound/root.key
158 The root anchor file, updated with 5011 tracking, and read and
159 written to. The file is created if it does not exist.
160
161 /etc/unbound/icannbundle.pem
162 The trusted self-signed certificate that is used to verify the
163 downloaded DNSSEC root trust anchor. You can update it by
164 fetching it from https://data.iana.org/root-anchors/icannbun‐
165 dle.pem (and validate it). If the file does not exist or is
166 empty, a builtin version is used.
167
168 https://data.iana.org/root-anchors/root-anchors.xml
169 Source for the root key information.
170
171 https://data.iana.org/root-anchors/root-anchors.p7s
172 Signature on the root key information.
173
175 unbound.conf(5), unbound(8).
176
177
178
179NLnet Labs Mar 21, 2013 unbound-anchor(8)