>>> You can start the auto-trust-anchor-file rotation by providing a file
>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records
>>> in there.
>>>
>>>
> I tried this with (in conf)
>
> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"
>
> And the latter reading (copied from the BIND-9 zone file)
>
> mail. 1d IN DS 22205 14 1
> 0FFE136DCCCFD7879D350A62610193ADA5F18111
> mail. 1d IN DS 22205 14 2
> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>
> and as variation
>
> mail. 1d IN DNSKEY 22205 14 1
> 0FFE136DCCCFD7879D350A62610193ADA5F18111
> mail. 1d IN DNSKEY 22205 14 2
> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>
> but either way unbound is reporting the below and I do not understand
> what the issue (anchor cannot be with and without autotrust) is?
>
> error: anchor cannot be with and without autotrust
> error: failed to load trust anchor from
> /etc/unbound/mail-trusted-key.key at line 1, skipping
> error: anchor cannot be with and without autotrust
> error: failed to load trust anchor from
> /etc/unbound/mail-trusted-key.key at line 2, skipping
> error: failed to read /etc/unbound/mail-trusted-key.key
> error: error reading auto-trust-anchor-file:
> /etc/unbound/mail-trusted-key.key
> error: validator: error in trustanchors config
> error: validator: could not apply configuration settings.
> fatal error: bad config for validator module
Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
not met throwing the error.
I am no coder and cannot make sense of
if(tp) {
if(!tp->autr) {
log_err("anchor cannot be with and without autotrust");
lock_basic_unlock(&tp->lock);
return NULL;
}
The BIND-9 zone file does only provide the aforementioned. Has to be
anything to be done with it to make it compliant with the anchor
structure required by unbound?
