файлы конфигурации якоря доверия DNSSEC (DNSSEC trust anchor configuration files)
Имя (Name)
dnssec-trust-anchors.d, systemd.positive, systemd.negative -
DNSSEC trust anchor configuration files
Синопсис (Synopsis)
/etc/dnssec-trust-anchors.d/*.positive
/run/dnssec-trust-anchors.d/*.positive
/usr/lib/dnssec-trust-anchors.d/*.positive
/etc/dnssec-trust-anchors.d/*.negative
/run/dnssec-trust-anchors.d/*.negative
/usr/lib/dnssec-trust-anchors.d/*.negative
Описание (Description)
The DNSSEC trust anchor configuration files define positive and
negative trust anchors systemd-resolved.service(8) bases DNSSEC
integrity proofs on.
Положительные трастовые якоря (Positive trust anchors)
Positive trust anchor configuration files contain DNSKEY and DS
resource record definitions to use as base for DNSSEC integrity
proofs. See RFC 4035, Section 4.4
Positive trust anchors are read from files with the suffix
.positive located in /etc/dnssec-trust-anchors.d/,
/run/dnssec-trust-anchors.d/ and
/usr/lib/dnssec-trust-anchors.d/. These directories are searched
in the specified order, and a trust anchor file of the same name
in an earlier path overrides a trust anchor files in a later
path. To disable a trust anchor file shipped in
/usr/lib/dnssec-trust-anchors.d/ it is sufficient to provide an
identically-named file in /etc/dnssec-trust-anchors.d/ or
/run/dnssec-trust-anchors.d/ that is either empty or a symlink to
/dev/null ("masked").
Positive trust anchor files are simple text files resembling DNS
zone files, as documented in RFC 1035, Section 5DS or
DNSKEY resource record may be listed per line. Empty lines and
lines starting with "#" or ";" are ignored, which may be used for
commenting. A DS resource record is specified like in the
following example:
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
The first word specifies the domain, use "." for the root
domain. The domain may be specified with or without trailing dot,
which is considered equivalent. The second word must be "IN" the
third word "DS". The following words specify the key tag,
signature algorithm, digest algorithm, followed by the
hex-encoded key fingerprint. See RFC 4034, Section 5
Alternatively, DNSKEY resource records may be used to define
trust anchors, like in the following example:
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
The first word specifies the domain again, the second word must
be "IN", followed by "DNSKEY". The subsequent words encode the
DNSKEY flags, protocol and algorithm fields, followed by the key
data encoded in Base64. See RFC 4034, Section 2
If multiple DS or DNSKEY records are defined for the same domain
(possibly even in different trust anchor files), all keys are
used and are considered equivalent as base for DNSSEC proofs.
Note that systemd-resolved will automatically use a built-in
trust anchor key for the Internet root domain if no positive
trust anchors are defined for the root domain. In most cases it
is hence unnecessary to define an explicit key with trust anchor
files. The built-in key is disabled as soon as at least one trust
anchor key for the root domain is defined in trust anchor files.
It is generally recommended to encode trust anchors in DS
resource records, rather than DNSKEY resource records.
If a trust anchor specified via a DS record is found revoked it
is automatically removed from the trust anchor database for the
runtime. See RFC 5011
The current DNSSEC trust anchor for the Internet's root domain is
available at the IANA Trust Anchor and Keys
Анкоры с отрицательным доверием (Negative trust anchors)
Negative trust anchors define domains where DNSSEC validation
shall be turned off. Negative trust anchor files are found at the
same location as positive trust anchor files, and follow the same
overriding rules. They are text files with the .negative suffix.
Empty lines and lines whose first character is ";" are ignored.
Each line specifies one domain name which is the root of a DNS
subtree where validation shall be disabled. For example:
# Reverse IPv4 mappings
10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
...
# Some custom domains
prod
stag
Negative trust anchors are useful to support private DNS subtrees
that are not referenced from the Internet DNS hierarchy, and not
signed.
RFC 7646
If no negative trust anchor files are configured a built-in set
of well-known private DNS zone domains is used as negative trust
anchors.
It is also possibly to define per-interface negative trust
anchors using the DNSSECNegativeTrustAnchors= setting in
systemd.network(5) files.
Смотри также (See also)
systemd(1), systemd-resolved.service(8), resolved.conf(5),
systemd.network(5)
Примечание (Note)
1. RFC 4035, Section 4.4
https://tools.ietf.org/html/rfc4035#section-4.4
2. RFC 1035, Section 5
https://tools.ietf.org/html/rfc1035#section-5
3. RFC 4034, Section 5
https://tools.ietf.org/html/rfc4034#section-5
4. RFC 4034, Section 2
https://tools.ietf.org/html/rfc4034#section-2
5. RFC 5011
https://tools.ietf.org/html/rfc5011
6. IANA Trust Anchor and Keys
https://data.iana.org/root-anchors/root-anchors.xml
7. RFC 7646
https://tools.ietf.org/html/rfc7646
