1DNSSEC-TRUST-ANCHORS.D(5)   dnssec-trust-anchors.d   DNSSEC-TRUST-ANCHORS.D(5)
2
3
4

NAME

6       dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC
7       trust anchor configuration files
8

SYNOPSIS

10       /etc/dnssec-trust-anchors.d/*.positive
11
12       /run/dnssec-trust-anchors.d/*.positive
13
14       /usr/lib/dnssec-trust-anchors.d/*.positive
15
16       /etc/dnssec-trust-anchors.d/*.negative
17
18       /run/dnssec-trust-anchors.d/*.negative
19
20       /usr/lib/dnssec-trust-anchors.d/*.negative
21

DESCRIPTION

23       The DNSSEC trust anchor configuration files define positive and
24       negative trust anchors systemd-resolved.service(8) bases DNSSEC
25       integrity proofs on.
26

POSITIVE TRUST ANCHORS

28       Positive trust anchor configuration files contain DNSKEY and DS
29       resource record definitions to use as base for DNSSEC integrity proofs.
30       See RFC 4035, Section 4.4[1] for more information about DNSSEC trust
31       anchors.
32
33       Positive trust anchors are read from files with the suffix .positive
34       located in /etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/
35       and /usr/lib/dnssec-trust-anchors.d/. These directories are searched in
36       the specified order, and a trust anchor file of the same name in an
37       earlier path overrides a trust anchor files in a later path. To disable
38       a trust anchor file shipped in /usr/lib/dnssec-trust-anchors.d/ it is
39       sufficient to provide an identically-named file in
40       /etc/dnssec-trust-anchors.d/ or /run/dnssec-trust-anchors.d/ that is
41       either empty or a symlink to /dev/null ("masked").
42
43       Positive trust anchor files are simple text files resembling DNS zone
44       files, as documented in RFC 1035, Section 5[2]. One DS or DNSKEY
45       resource record may be listed per line. Empty lines and lines starting
46       with "#" or ";" are ignored, which may be used for commenting. A
47       <consant>DS</consant> resource record is specified like in the
48       following example:
49
50           . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
51
52       The first word specifies the domain, use "."  for the root domain. The
53       domain may be specified with or without trailing dot, which is
54       considered equivalent. The second word must be "IN" the third word
55       "DS". The following words specify the key tag, signature algorithm,
56       digest algorithm, followed by the hex-encoded key fingerprint. See RFC
57       4034, Section 5[3] for details about the precise syntax and meaning of
58       these fields.
59
60       Alternatively, DNSKEY resource records may be used to define trust
61       anchors, like in the following example:
62
63           . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
64
65       The first word specifies the domain again, the second word must be
66       "IN", followed by "DNSKEY". The subsequent words encode the DNSKEY
67       flags, protocol and algorithm fields, followed by the key data encoded
68       in Base64. See RFC 4034, Section 2[4] for details about the precise
69       syntax and meaning of these fields.
70
71       If multiple DS or DNSKEY records are defined for the same domain
72       (possibly even in different trust anchor files), all keys are used and
73       are considered equivalent as base for DNSSEC proofs.
74
75       Note that systemd-resolved will automatically use a built-in trust
76       anchor key for the Internet root domain if no positive trust anchors
77       are defined for the root domain. In most cases it is hence unnecessary
78       to define an explicit key with trust anchor files. The built-in key is
79       disabled as soon as at least one trust anchor key for the root domain
80       is defined in trust anchor files.
81
82       It is generally recommended to encode trust anchors in DS resource
83       records, rather than DNSKEY resource records.
84
85       If a trust anchor specified via a DS record is found revoked it is
86       automatically removed from the trust anchor database for the runtime.
87       See RFC 5011[5] for details about revoked trust anchors. Note that
88       systemd-resolved will not update its trust anchor database from DNS
89       servers automatically. Instead, it is recommended to update the
90       resolver software or update the new trust anchor via adding in new
91       trust anchor files.
92
93       The current DNSSEC trust anchor for the Internet's root domain is
94       available at the IANA Trust Anchor and Keys[6] page.
95

NEGATIVE TRUST ANCHORS

97       Negative trust anchors define domains where DNSSEC validation shall be
98       turned off. Negative trust anchor files are found at the same location
99       as positive trust anchor files, and follow the same overriding rules.
100       They are text files with the .negative suffix. Empty lines and lines
101       whose first character is ";" are ignored. Each line specifies one
102       domain name which is the root of a DNS subtree where validation shall
103       be disabled. For example:
104
105           # Reverse IPv4 mappings
106           10.in-addr.arpa
107           16.172.in-addr.arpa
108           168.192.in-addr.arpa
109           ...
110           # Some custom domains
111           prod
112           stag
113
114       Negative trust anchors are useful to support private DNS subtrees that
115       are not referenced from the Internet DNS hierarchy, and not signed.
116
117       RFC 7646[7] for details on negative trust anchors.
118
119       If no negative trust anchor files are configured a built-in set of
120       well-known private DNS zone domains is used as negative trust anchors.
121
122       It is also possibly to define per-interface negative trust anchors
123       using the DNSSECNegativeTrustAnchors= setting in systemd.network(5)
124       files.
125

SEE ALSO

127       systemd(1), systemd-resolved.service(8), resolved.conf(5),
128       systemd.network(5)
129

NOTES

131        1. RFC 4035, Section 4.4
132           https://tools.ietf.org/html/rfc4035#section-4.4
133
134        2. RFC 1035, Section 5
135           https://tools.ietf.org/html/rfc1035#section-5
136
137        3. RFC 4034, Section 5
138           https://tools.ietf.org/html/rfc4034#section-5
139
140        4. RFC 4034, Section 2
141           https://tools.ietf.org/html/rfc4034#section-2
142
143        5. RFC 5011
144           https://tools.ietf.org/html/rfc5011
145
146        6. IANA Trust Anchor and Keys
147           https://data.iana.org/root-anchors/root-anchors.xml
148
149        7. RFC 7646
150           https://tools.ietf.org/html/rfc7646
151
152
153
154systemd 249                                          DNSSEC-TRUST-ANCHORS.D(5)
Impressum