On Wed, Oct 3, 2012 at 10:16 AM, W.C.A. Wijngaards <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Nikos, >> Hello, I'm trying to work with the DNSSec validation example in the >> unbound tutorial [0]. My issue is that at some point it calls: >> ub_ctx_add_ta_file() with a file called "keys" and that according >> to the comment this is the "public keys for DNSSEC verification". >> However what does that exactly mean? How do you obtain this list? I >> have a high level understanding of dnssec, and I'd expect that if >> I set there the file /etc/unbound/root.key it should be able to >> verify any domain, is that correct? (it doesn't seem to work) > > You need: > ub_ctx_set_option(ctx, "auto-trust-anchor-file:", > "/etc/unbound/root.key"); > because that file is in the 'auto-trust-anchor-file' format.
Thank you. I tried it, but in both cases I get the same error message: Result is bogus: validation failure <www.nlnetlabs.nl. A IN>: no signatures from 10.0.2.3 for trust anchor . while building chain of trust I increased debugging but I cannot really follow the log, which contains entries like: [1349253750] libunbound[3158:0] info: super is www.nlnetlabs.nl. A IN [1349253750] libunbound[3158:0] info: autotrust process for . DNSKEY IN [1349253750] libunbound[3158:0] debug: rrset failed to verify due to a lack of signatures [1349253750] libunbound[3158:0] debug: Failed to match any usable anchor to a DNSKEY. [1349253750] libunbound[3158:0] debug: autotrust: validate DNSKEY with anchor: sec_status_bogus [1349253750] libunbound[3158:0] debug: autotrust: dnskey did not verify. [1349253750] libunbound[3158:0] debug: autotrust: write to disk: root.key.3158-0 [1349253750] libunbound[3158:0] debug: autotrust: replaced root.key [1349253750] libunbound[3158:0] debug: rrset failed to verify due to a lack of signatures [1349253750] libunbound[3158:0] debug: Failed to match any usable anchor to a DNSKEY. regards, Nikos _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
