On Tue, 17 Feb 2009, JB wrote: > In my unbound.conf I have: > > ... > trust-anchor-file: "/usr/local/etc/unbound/ancoras/br.anchor" > trust-anchor-file: > "/usr/local/etc/unbound/ancoras/dlv.isc.org.anchor" > ... > > But I saw in Chris Griffiths message: > > ... > trust-anchor-file: "/etc/unbound/anchors/br.anchor" > trust-anchor-file: "/etc/unbound/anchors/se.anchor" > trust-anchor-file: "/etc/unbound/anchors/bg.anchor" > trust-anchor-file: "/etc/unbound/anchors/pr.anchor" > trust-anchor-file: "/etc/unbound/anchors/cz.anchor" > ... > > My question is about how many trusted keys for validation must I use? And, if > I manage about 200 domains, must I take care about them in my recursive > servers, including its trusted keys? Are there security additional advantage > to take care in anchor .br, .se, .bg and so on?
Until the root is signed, and if you don't want to use DLV for those queries, yes. To make it easier, I wrote "dnssec-conf": http://www.xelerance.com/software/dnssec-conf/ If you're on Fedora/RHEL/Centos, do: yum install dnssec-conf dnssec-configure -u --dnssec=on --dlv=on --production You will find all the keys in /etc/pki/dnssec-keys/ See further: man dnssec-configure, man dnskey-pull Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
