dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC trust anchor
configuration files
/etc/dnssec-trust-anchors.d/*.positive
/run/dnssec-trust-anchors.d/*.positive
/usr/lib/dnssec-trust-anchors.d/*.positive
/etc/dnssec-trust-anchors.d/*.negative
/run/dnssec-trust-anchors.d/*.negative
/usr/lib/dnssec-trust-anchors.d/*.negative
The DNSSEC trust anchor configuration files define positive and negative trust
anchors
systemd-resolved.service(8) bases DNSSEC integrity proofs on.
Positive trust anchor configuration files contain
DNSKEY and
DS
resource record definitions to use as base for DNSSEC integrity proofs. See
RFC 4035, Section 4.4[1] for more information about DNSSEC trust
anchors.
Positive trust anchors are read from files with the suffix .positive located in
/etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/ and
/usr/lib/dnssec-trust-anchors.d/. These directories are searched in the
specified order, and a trust anchor file of the same name in an earlier path
overrides a trust anchor files in a later path. To disable a trust anchor file
shipped in /usr/lib/dnssec-trust-anchors.d/ it is sufficient to provide an
identically-named file in /etc/dnssec-trust-anchors.d/ or
/run/dnssec-trust-anchors.d/ that is either empty or a symlink to /dev/null
("masked").
Positive trust anchor files are simple text files resembling DNS zone files, as
documented in
RFC 1035, Section 5[2]. One
DS or
DNSKEY
resource record may be listed per line. Empty lines and lines starting with
"#" or ";" are ignored, which may be used for commenting.
A
DS resource record is specified like in the following example:
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
The first word specifies the domain, use "." for the root domain. The
domain may be specified with or without trailing dot, which is considered
equivalent. The second word must be "IN" the third word
"DS". The following words specify the key tag, signature algorithm,
digest algorithm, followed by the hex-encoded key fingerprint. See
RFC
4034, Section 5[3] for details about the precise syntax and meaning of
these fields.
Alternatively,
DNSKEY resource records may be used to define trust
anchors, like in the following example:
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
The first word specifies the domain again, the second word must be
"IN", followed by "DNSKEY". The subsequent words encode
the
DNSKEY flags, protocol and algorithm fields, followed by the key
data encoded in Base64. See
RFC 4034, Section 2[4] for details about
the precise syntax and meaning of these fields.
If multiple
DS or
DNSKEY records are defined for the same domain
(possibly even in different trust anchor files), all keys are used and are
considered equivalent as base for DNSSEC proofs.
Note that systemd-resolved will automatically use a built-in trust anchor key
for the Internet root domain if no positive trust anchors are defined for the
root domain. In most cases it is hence unnecessary to define an explicit key
with trust anchor files. The built-in key is disabled as soon as at least one
trust anchor key for the root domain is defined in trust anchor files.
It is generally recommended to encode trust anchors in
DS resource
records, rather than
DNSKEY resource records.
If a trust anchor specified via a
DS record is found revoked it is
automatically removed from the trust anchor database for the runtime. See
RFC 5011[5] for details about revoked trust anchors. Note that
systemd-resolved will not update its trust anchor database from DNS servers
automatically. Instead, it is recommended to update the resolver software or
update the new trust anchor via adding in new trust anchor files.
The current DNSSEC trust anchor for the Internet's root domain is available at
the
IANA Trust Anchor and Keys[6] page.
Negative trust anchors define domains where DNSSEC validation shall be turned
off. Negative trust anchor files are found at the same location as positive
trust anchor files, and follow the same overriding rules. They are text files
with the .negative suffix. Empty lines and lines whose first character is
";" are ignored. Each line specifies one domain name which is the
root of a DNS subtree where validation shall be disabled. For example:
# Reverse IPv4 mappings
10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
...
# Some custom domains
prod
stag
Negative trust anchors are useful to support private DNS subtrees that are not
referenced from the Internet DNS hierarchy, and not signed.
RFC 7646[7] for details on negative trust anchors.
If no negative trust anchor files are configured a built-in set of well-known
private DNS zone domains is used as negative trust anchors.
It is also possibly to define per-interface negative trust anchors using the
DNSSECNegativeTrustAnchors= setting in
systemd.network(5) files.
systemd(1),
systemd-resolved.service(8),
resolved.conf(5),
systemd.network(5)
- 1.
- RFC 4035, Section 4.4
- 2.
- RFC 1035, Section 5
- 3.
- RFC 4034, Section 5
- 4.
- RFC 4034, Section 2
- 5.
- RFC 5011
- 6.
- IANA Trust Anchor and Keys
- 7.
- RFC 7646