On Tue, Aug 28, 2018 at 09:44:38AM -0700, David Conrad <[email protected]> wrote a message of 161 lines which said:
> On September 5 2017, we’ve published > https://www.icann.org/dns-resolvers-checking-current-trust-anchors Thanks, I did not notice it. Very useful. > If this is incomplete, please let us know. The advice for Unbound is not perfect. It says "Look in the root.key file in Unbound's configuration directory, which is usually /etc/unbound." A Debian default installation, for instance, does not put the TA file there (/etc/unbound is not writable, which prevents RFC 5011 to work). I would suggest "Look in the trust anchors file. It is indicated in Unbound's configuration file(s), which location depend on your operating system. In the configuratin file(s), search directives trust-anchor-file or auto-trust-anchor-file, then display the indicated trust anchor file." For Knot Resolver, the keys file indicate the key tag, so it is not necessary to check the entire key. Here is an example (this Knot installation does not use the ICANN root): root@turris:/etc/kresd# cat root.keys . 3600 DNSKEY 257 3 8 AwEAAdZZqL65TA/kHkLq1+ON5eQYm9PUBgV5UQbPcQtRAXbad1l6m6R0iJIg46IiyFyUkEh+H7Z9/oPNnkM9zub2TjFiNVZUSnpyWtPqVD5nHrhUOdS3yW/AXpZuNJ3zX9XDXUpiEnfTPOMrUiZppP1fqx/jnAC9YDLs4K26ocoDyQp+umu+eOrP/TOacRag+9r9NiQzsVuXHQnCwpPY4NwlA7QRaOOjBiI9tNEDD2khVE7Yy5c/sZYirlTOTEBbXkd9l9WVqRgEO+ikb8GMg7hgOddvqj7ItBZvBUACQc3c0OqaLnEZx6CwIQpjxpPPYdyiEdKSwHGH3V3TfS+AEQlW8uk= ; Valid: ; KeyTag:59302 Also, Knot has an useful console, so you may instead type 'trust_anchors.keysets' in the console. > trust_anchors.keysets [\0] => { [1] => { [owner] => \0 [key_tag] => 59302 [comment] => Valid: ; KeyTag:59302 [class] => 1 [state] => Valid [rdata] => \1\1\3\8\3\1\0\1\214Y\168\190\185L\15\228\30B\234\215\227\141\229\228\24\155\211\212\6\5yQ\6\207q\11Q\1v\218wYz\155\164t\136\146 \227\162... [ttl] => 3600 [type] => 48 } [filename] => /etc/kresd/root.keys [refresh_ev] => 10 [owner] => \0 }
