Positive trust anchor configuration files contain DNSKEY and DS
resource record definitions to use as base for DNSSEC integrity
proofs. See RFC 4035, Section 4.4 for more information about
DNSSEC trust anchors.
Positive trust anchors are read from files with the suffix .positive
located in /etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/
and /usr/lib/dnssec-trust-anchors.d/. These directories are searched
in the specified order, and a trust anchor file of the same name in
an earlier path overrides a trust anchor files in a later path. To
disable a trust anchor file shipped in
/usr/lib/dnssec-trust-anchors.d/ it is sufficient to provide an
identically-named file in /etc/dnssec-trust-anchors.d/ or
/run/dnssec-trust-anchors.d/ that is either empty or a symlink to
Positive trust anchor files are simple text files resembling DNS zone
files, as documented in RFC 1035, Section 5. One DS or DNSKEY
resource record may be listed per line. Empty lines and lines
starting with a semicolon (";") are ignored and considered comments.
A DS resource record is specified like in the following example:
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
The first word specifies the domain, use "." for the root domain.
The domain may be specified with or without trailing dot, which is
considered equivalent. The second word must be "IN" the third word
"DS". The following words specify the key tag, signature algorithm,
digest algorithm, followed by the hex-encoded key fingerprint. See
RFC 4034, Section 5 for details about the precise syntax and
meaning of these fields.
Alternatively, DNSKEY resource records may be used to define trust
anchors, like in the following example:
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
The first word specifies the domain again, the second word must be
"IN", followed by "DNSKEY". The subsequent words encode the DNSKEY
flags, protocol and algorithm fields, followed by the key data
encoded in Base64. See RFC 4034, Section 2 for details about the
precise syntax and meaning of these fields.
If multiple DS or DNSKEY records are defined for the same domain
(possibly even in different trust anchor files), all keys are used
and are considered equivalent as base for DNSSEC proofs.
Note that systemd-resolved will automatically use a built-in trust
anchor key for the Internet root domain if no positive trust anchors
are defined for the root domain. In most cases it is hence
unnecessary to define an explicit key with trust anchor files. The
built-in key is disabled as soon as at least one trust anchor key for
the root domain is defined in trust anchor files.
It is generally recommended to encode trust anchors in DS resource
records, rather than DNSKEY resource records.
If a trust anchor specified via a DS record is found revoked it is
automatically removed from the trust anchor database for the runtime.
See RFC 5011 for details about revoked trust anchors. Note that
systemd-resolved will not update its trust anchor database from DNS
servers automatically. Instead, it is recommended to update the
resolver software or update the new trust anchor via adding in new
trust anchor files.
The current DNSSEC trust anchor for the Internet's root domain is
available at the IANA Trust Anchor and Keys page.
Negative trust anchors define domains where DNSSEC validation shall
be turned off. Negative trust anchor files are found at the same
location as positive trust anchor files, and follow the same
overriding rules. They are text files with the .negative suffix.
Empty lines and lines whose first character is ";" are ignored. Each
line specifies one domain name which is the root of a DNS subtree
where validation shall be disabled.
Negative trust anchors are useful to support private DNS subtrees
that are not referenced from the Internet DNS hierarchy, and not
RFC 7646 for details on negative trust anchors.
If no negative trust anchor files are configured a built-in set of
well-known private DNS zone domains is used as negative trust
It is also possibly to define per-interface negative trust anchors
using the DNSSECNegativeTrustAnchors= setting in systemd.network(5)
This page is part of the systemd (systemd system and service manager)
project. Information about the project can be found at
⟨http://www.freedesktop.org/wiki/Software/systemd⟩. If you have a bug
report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/systemd/systemd.git⟩ on 2017-03-13. If you dis‐
cover any rendering problems in this HTML version of the page, or you
believe there is a better or more up-to-date source for the page, or
you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
systemd 233 DNSSEC-TRUST-ANCHORS.D(5)