>>> You can start the auto-trust-anchor-file rotation by providing a file >>> like for trust-anchor-file: a plain text file with DNSKEY or DS records >>> in there. >>> >>> > I tried this with (in conf) > > auto-trust-anchor-file: "/etc/unbound/trusted-key.key" > auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key" > > And the latter reading (copied from the BIND-9 zone file) > > mail. 1d IN DS 22205 14 1 > 0FFE136DCCCFD7879D350A62610193ADA5F18111 > mail. 1d IN DS 22205 14 2 > 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA > > and as variation > > mail. 1d IN DNSKEY 22205 14 1 > 0FFE136DCCCFD7879D350A62610193ADA5F18111 > mail. 1d IN DNSKEY 22205 14 2 > 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA > > but either way unbound is reporting the below and I do not understand > what the issue (anchor cannot be with and without autotrust) is? > > error: anchor cannot be with and without autotrust > error: failed to load trust anchor from > /etc/unbound/mail-trusted-key.key at line 1, skipping > error: anchor cannot be with and without autotrust > error: failed to load trust anchor from > /etc/unbound/mail-trusted-key.key at line 2, skipping > error: failed to read /etc/unbound/mail-trusted-key.key > error: error reading auto-trust-anchor-file: > /etc/unbound/mail-trusted-key.key > error: validator: error in trustanchors config > error: validator: could not apply configuration settings. > fatal error: bad config for validator module
Looking at autotrust.c seems to be expecting a certain (NSD?) anchor structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if not met throwing the error. I am no coder and cannot make sense of if(tp) { if(!tp->autr) { log_err("anchor cannot be with and without autotrust"); lock_basic_unlock(&tp->lock); return NULL; } The BIND-9 zone file does only provide the aforementioned. Has to be anything to be done with it to make it compliant with the anchor structure required by unbound?