Thanks for the follow-up, Andreas.
On Tue, 13 Oct 2015 21:43:08 +0200
"A. Schulze" <sca_at_andreasschulze.de> wrote:
>
[snip]
>
> But back to OpenDKIM:
> unbound+libunbound have useful defaults. (man unbound.conf).
> Most important: it know about the root nameservers...
>
> So anything you need to enable DNSSEC validation is a root
> trustanchor.
>
> /path/to/opendkim.conf:
> ResolverConfiguration /path/to/unbound_style_config_file
>
> /path/to/unbound_style_config_file:
> server:
> trust-anchor: ". DS 19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
>
> That's all. No running unbound daemon needed!
>
> Be aware unbound support RFC 5011 to "automate Updates of DNS
> Security (DNSSEC) Trust Anchors" By placing a static DS in the
> configuration validation may fail one day on root key rollover.
[snip]
So is there any reason why, instead of that static config, one could
not do a somewhat "less static-y":
/etc/unbound/unbound.conf:
server:
trust-anchor-file: /etc/unbound/root.key
And run:
unbound-anchor -a /etc/unbound/root.key
as a cron job (daily or whatever), instead?
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Received on Wed Oct 14 2015 - 12:22:09 PST