2017-06-16 10:16:05 +00:00
|
|
|
.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
2014-10-05 21:44:31 +00:00
|
|
|
.\"
|
|
|
|
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" See LICENSE for the license.
|
|
|
|
.\"
|
|
|
|
.\"
|
|
|
|
.SH "NAME"
|
|
|
|
.B unbound\-anchor
|
|
|
|
\- Unbound anchor utility.
|
|
|
|
.SH "SYNOPSIS"
|
|
|
|
.B unbound\-anchor
|
|
|
|
.RB [ opts ]
|
|
|
|
.SH "DESCRIPTION"
|
|
|
|
.B Unbound\-anchor
|
|
|
|
performs setup or update of the root trust anchor for DNSSEC validation.
|
2017-06-16 10:16:05 +00:00
|
|
|
The program fetches the trust anchor with the method from RFC7958 when
|
|
|
|
regular RFC5011 update fails to bring it up to date.
|
2014-10-05 21:44:31 +00:00
|
|
|
It can be run (as root) from the commandline, or run as part of startup
|
|
|
|
scripts. Before you start the \fIunbound\fR(8) DNS server.
|
|
|
|
.P
|
|
|
|
Suggested usage:
|
|
|
|
.P
|
|
|
|
.nf
|
|
|
|
# in the init scripts.
|
|
|
|
# provide or update the root anchor (if necessary)
|
2014-12-04 21:10:49 +00:00
|
|
|
unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
|
2014-10-05 21:44:31 +00:00
|
|
|
# Please note usage of this root anchor is at your own risk
|
|
|
|
# and under the terms of our LICENSE (see source).
|
|
|
|
#
|
|
|
|
# start validating resolver
|
|
|
|
# the unbound.conf contains:
|
|
|
|
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
2014-12-04 21:10:49 +00:00
|
|
|
unbound \-c unbound.conf
|
2014-10-05 21:44:31 +00:00
|
|
|
.fi
|
|
|
|
.P
|
|
|
|
This tool provides builtin default contents for the root anchor and root
|
|
|
|
update certificate files.
|
|
|
|
.P
|
|
|
|
It tests if the root anchor file works, and if not, and an update is possible,
|
|
|
|
attempts to update the root anchor using the root update certificate.
|
2017-06-16 10:16:05 +00:00
|
|
|
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
|
|
|
|
if all checks are successful, it updates the root anchor file. Otherwise
|
2014-10-05 21:44:31 +00:00
|
|
|
the root anchor file is unchanged. It performs RFC5011 tracking if the
|
|
|
|
DNSSEC information available via the DNS makes that possible.
|
|
|
|
.P
|
|
|
|
It does not perform an update if the certificate is expired, if the network
|
|
|
|
is down or other errors occur.
|
|
|
|
.P
|
|
|
|
The available options are:
|
|
|
|
.TP
|
|
|
|
.B \-a \fIfile
|
|
|
|
The root anchor key file, that is read in and written out.
|
|
|
|
Default is @UNBOUND_ROOTKEY_FILE@.
|
|
|
|
If the file does not exist, or is empty, a builtin root key is written to it.
|
|
|
|
.TP
|
|
|
|
.B \-c \fIfile
|
|
|
|
The root update certificate file, that is read in.
|
|
|
|
Default is @UNBOUND_ROOTCERT_FILE@.
|
|
|
|
If the file does not exist, or is empty, a builtin certificate is used.
|
|
|
|
.TP
|
|
|
|
.B \-l
|
|
|
|
List the builtin root key and builtin root update certificate on stdout.
|
|
|
|
.TP
|
|
|
|
.B \-u \fIname
|
|
|
|
The server name, it connects to https://name. Specify without https:// prefix.
|
|
|
|
The default is "data.iana.org". It connects to the port specified with \-P.
|
2017-06-16 10:16:05 +00:00
|
|
|
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
|
2014-10-05 21:44:31 +00:00
|
|
|
.TP
|
|
|
|
.B \-x \fIpath
|
|
|
|
The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
|
|
|
|
The default is /root\-anchors/root\-anchors.xml.
|
|
|
|
.TP
|
|
|
|
.B \-s \fIpath
|
|
|
|
The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
|
|
|
|
The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7
|
|
|
|
signature over the xml file, using the pem file (\-c) as trust anchor.
|
|
|
|
.TP
|
|
|
|
.B \-n \fIname
|
|
|
|
The emailAddress for the Subject of the signer's certificate from the p7s
|
|
|
|
signature file. Only signatures from this name are allowed. default is
|
|
|
|
dnssec@iana.org. If you pass "" then the emailAddress is not checked.
|
|
|
|
.TP
|
|
|
|
.B \-4
|
|
|
|
Use IPv4 for domain resolution and contacting the server on https. Default is
|
|
|
|
to use IPv4 and IPv6 where appropriate.
|
|
|
|
.TP
|
|
|
|
.B \-6
|
|
|
|
Use IPv6 for domain resolution and contacting the server on https. Default is
|
|
|
|
to use IPv4 and IPv6 where appropriate.
|
|
|
|
.TP
|
|
|
|
.B \-f \fIresolv.conf
|
|
|
|
Use the given resolv.conf file. Not enabled by default, but you could try to
|
|
|
|
pass /etc/resolv.conf on some systems. It contains the IP addresses of the
|
|
|
|
recursive nameservers to use. However, since this tool could be used to
|
|
|
|
bootstrap that very recursive nameserver, it would not be useful (since
|
|
|
|
that server is not up yet, since we are bootstrapping it). It could be
|
|
|
|
useful in a situation where you know an upstream cache is deployed (and
|
|
|
|
running) and in captive portal situations.
|
|
|
|
.TP
|
|
|
|
.B \-r \fIroot.hints
|
|
|
|
Use the given root.hints file (same syntax as the BIND and Unbound root hints
|
|
|
|
file) to bootstrap domain resolution. By default a list of builtin root
|
|
|
|
hints is used. Unbound\-anchor goes to the network itself for these roots,
|
|
|
|
to resolve the server (\-u option) and to check the root DNSKEY records.
|
|
|
|
It does so, because the tool when used for bootstrapping the recursive
|
|
|
|
resolver, cannot use that recursive resolver itself because it is bootstrapping
|
|
|
|
that server.
|
|
|
|
.TP
|
|
|
|
.B \-v
|
|
|
|
More verbose. Once prints informational messages, multiple times may enable
|
|
|
|
large debug amounts (such as full certificates or byte\-dumps of downloaded
|
|
|
|
files). By default it prints almost nothing. It also prints nothing on
|
|
|
|
errors by default; in that case the original root anchor file is simply
|
|
|
|
left undisturbed, so that a recursive server can start right after it.
|
|
|
|
.TP
|
|
|
|
.B \-C \fIunbound.conf
|
|
|
|
Debug option to read unbound.conf into the resolver process used.
|
|
|
|
.TP
|
|
|
|
.B \-P \fIport
|
|
|
|
Set the port number to use for the https connection. The default is 443.
|
|
|
|
.TP
|
|
|
|
.B \-F
|
|
|
|
Debug option to force update of the root anchor through downloading the xml
|
|
|
|
file and verifying it with the certificate. By default it first tries to
|
|
|
|
update by contacting the DNS, which uses much less bandwidth, is much
|
|
|
|
faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
|
|
|
|
With this option, it still attempts to do so (and may verbosely tell you),
|
|
|
|
but then ignores the result and goes on to use the xml fallback method.
|
|
|
|
.TP
|
|
|
|
.B \-h
|
|
|
|
Show the version and commandline option help.
|
|
|
|
.SH "EXIT CODE"
|
|
|
|
This tool exits with value 1 if the root anchor was updated using the
|
|
|
|
certificate or if the builtin root-anchor was used. It exits with code
|
|
|
|
0 if no update was necessary, if the update was possible with RFC5011
|
|
|
|
tracking, or if an error occurred.
|
|
|
|
.P
|
|
|
|
You can check the exit value in this manner:
|
|
|
|
.nf
|
2014-12-04 21:10:49 +00:00
|
|
|
unbound-anchor \-a "root.key" || logger "Please check root.key"
|
2014-10-05 21:44:31 +00:00
|
|
|
.fi
|
|
|
|
Or something more suitable for your operational environment.
|
|
|
|
.SH "TRUST"
|
|
|
|
The root keys and update certificate included in this tool
|
|
|
|
are provided for convenience and under the terms of our
|
|
|
|
license (see the LICENSE file in the source distribution or
|
|
|
|
http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
|
|
|
|
not suitable to your purpose.
|
|
|
|
.P
|
|
|
|
By running "unbound\-anchor \-l" the keys and certificate that are
|
|
|
|
configured in the code are printed for your convenience.
|
|
|
|
.P
|
|
|
|
The build\-in configuration can be overridden by providing a root\-cert
|
|
|
|
file and a rootkey file.
|
|
|
|
.SH "FILES"
|
|
|
|
.TP
|
|
|
|
.I @UNBOUND_ROOTKEY_FILE@
|
|
|
|
The root anchor file, updated with 5011 tracking, and read and written to.
|
|
|
|
The file is created if it does not exist.
|
|
|
|
.TP
|
|
|
|
.I @UNBOUND_ROOTCERT_FILE@
|
|
|
|
The trusted self\-signed certificate that is used to verify the downloaded
|
|
|
|
DNSSEC root trust anchor. You can update it by fetching it from
|
|
|
|
https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
|
|
|
|
If the file does not exist or is empty, a builtin version is used.
|
|
|
|
.TP
|
|
|
|
.I https://data.iana.org/root\-anchors/root\-anchors.xml
|
|
|
|
Source for the root key information.
|
|
|
|
.TP
|
|
|
|
.I https://data.iana.org/root\-anchors/root\-anchors.p7s
|
|
|
|
Signature on the root key information.
|
|
|
|
.SH "SEE ALSO"
|
|
|
|
\fIunbound.conf\fR(5),
|
|
|
|
\fIunbound\fR(8).
|