]> git.saurik.com Git - apple/network_cmds.git/blame_incremental - unbound/doc/unbound-anchor.8.in
network_cmds-481.20.1.tar.gz
[apple/network_cmds.git] / unbound / doc / unbound-anchor.8.in
... / ...
CommitLineData
1.TH "unbound-anchor" "8" "Dec 8, 2014" "NLnet Labs" "unbound 1.5.1"
2.\"
3.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
4.\"
5.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.B unbound\-anchor
12\- Unbound anchor utility.
13.SH "SYNOPSIS"
14.B unbound\-anchor
15.RB [ opts ]
16.SH "DESCRIPTION"
17.B Unbound\-anchor
18performs setup or update of the root trust anchor for DNSSEC validation.
19It can be run (as root) from the commandline, or run as part of startup
20scripts. Before you start the \fIunbound\fR(8) DNS server.
21.P
22Suggested usage:
23.P
24.nf
25 # in the init scripts.
26 # provide or update the root anchor (if necessary)
27 unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
28 # Please note usage of this root anchor is at your own risk
29 # and under the terms of our LICENSE (see source).
30 #
31 # start validating resolver
32 # the unbound.conf contains:
33 # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
34 unbound \-c unbound.conf
35.fi
36.P
37This tool provides builtin default contents for the root anchor and root
38update certificate files.
39.P
40It tests if the root anchor file works, and if not, and an update is possible,
41attempts to update the root anchor using the root update certificate.
42It performs a https fetch of root-anchors.xml and checks the results, if
43all checks are successful, it updates the root anchor file. Otherwise
44the root anchor file is unchanged. It performs RFC5011 tracking if the
45DNSSEC information available via the DNS makes that possible.
46.P
47It does not perform an update if the certificate is expired, if the network
48is down or other errors occur.
49.P
50The available options are:
51.TP
52.B \-a \fIfile
53The root anchor key file, that is read in and written out.
54Default is @UNBOUND_ROOTKEY_FILE@.
55If the file does not exist, or is empty, a builtin root key is written to it.
56.TP
57.B \-c \fIfile
58The root update certificate file, that is read in.
59Default is @UNBOUND_ROOTCERT_FILE@.
60If the file does not exist, or is empty, a builtin certificate is used.
61.TP
62.B \-l
63List the builtin root key and builtin root update certificate on stdout.
64.TP
65.B \-u \fIname
66The server name, it connects to https://name. Specify without https:// prefix.
67The default is "data.iana.org". It connects to the port specified with \-P.
68You can pass an IPv4 addres or IPv6 address (no brackets) if you want.
69.TP
70.B \-x \fIpath
71The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
72The default is /root\-anchors/root\-anchors.xml.
73.TP
74.B \-s \fIpath
75The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
76The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7
77signature over the xml file, using the pem file (\-c) as trust anchor.
78.TP
79.B \-n \fIname
80The emailAddress for the Subject of the signer's certificate from the p7s
81signature file. Only signatures from this name are allowed. default is
82dnssec@iana.org. If you pass "" then the emailAddress is not checked.
83.TP
84.B \-4
85Use IPv4 for domain resolution and contacting the server on https. Default is
86to use IPv4 and IPv6 where appropriate.
87.TP
88.B \-6
89Use IPv6 for domain resolution and contacting the server on https. Default is
90to use IPv4 and IPv6 where appropriate.
91.TP
92.B \-f \fIresolv.conf
93Use the given resolv.conf file. Not enabled by default, but you could try to
94pass /etc/resolv.conf on some systems. It contains the IP addresses of the
95recursive nameservers to use. However, since this tool could be used to
96bootstrap that very recursive nameserver, it would not be useful (since
97that server is not up yet, since we are bootstrapping it). It could be
98useful in a situation where you know an upstream cache is deployed (and
99running) and in captive portal situations.
100.TP
101.B \-r \fIroot.hints
102Use the given root.hints file (same syntax as the BIND and Unbound root hints
103file) to bootstrap domain resolution. By default a list of builtin root
104hints is used. Unbound\-anchor goes to the network itself for these roots,
105to resolve the server (\-u option) and to check the root DNSKEY records.
106It does so, because the tool when used for bootstrapping the recursive
107resolver, cannot use that recursive resolver itself because it is bootstrapping
108that server.
109.TP
110.B \-v
111More verbose. Once prints informational messages, multiple times may enable
112large debug amounts (such as full certificates or byte\-dumps of downloaded
113files). By default it prints almost nothing. It also prints nothing on
114errors by default; in that case the original root anchor file is simply
115left undisturbed, so that a recursive server can start right after it.
116.TP
117.B \-C \fIunbound.conf
118Debug option to read unbound.conf into the resolver process used.
119.TP
120.B \-P \fIport
121Set the port number to use for the https connection. The default is 443.
122.TP
123.B \-F
124Debug option to force update of the root anchor through downloading the xml
125file and verifying it with the certificate. By default it first tries to
126update by contacting the DNS, which uses much less bandwidth, is much
127faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
128With this option, it still attempts to do so (and may verbosely tell you),
129but then ignores the result and goes on to use the xml fallback method.
130.TP
131.B \-h
132Show the version and commandline option help.
133.SH "EXIT CODE"
134This tool exits with value 1 if the root anchor was updated using the
135certificate or if the builtin root-anchor was used. It exits with code
1360 if no update was necessary, if the update was possible with RFC5011
137tracking, or if an error occurred.
138.P
139You can check the exit value in this manner:
140.nf
141 unbound-anchor \-a "root.key" || logger "Please check root.key"
142.fi
143Or something more suitable for your operational environment.
144.SH "TRUST"
145The root keys and update certificate included in this tool
146are provided for convenience and under the terms of our
147license (see the LICENSE file in the source distribution or
148http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
149not suitable to your purpose.
150.P
151By running "unbound\-anchor \-l" the keys and certificate that are
152configured in the code are printed for your convenience.
153.P
154The build\-in configuration can be overridden by providing a root\-cert
155file and a rootkey file.
156.SH "FILES"
157.TP
158.I @UNBOUND_ROOTKEY_FILE@
159The root anchor file, updated with 5011 tracking, and read and written to.
160The file is created if it does not exist.
161.TP
162.I @UNBOUND_ROOTCERT_FILE@
163The trusted self\-signed certificate that is used to verify the downloaded
164DNSSEC root trust anchor. You can update it by fetching it from
165https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
166If the file does not exist or is empty, a builtin version is used.
167.TP
168.I https://data.iana.org/root\-anchors/root\-anchors.xml
169Source for the root key information.
170.TP
171.I https://data.iana.org/root\-anchors/root\-anchors.p7s
172Signature on the root key information.
173.SH "SEE ALSO"
174\fIunbound.conf\fR(5),
175\fIunbound\fR(8).