DNSSEC-TRUST-ANCHORS.D(5)               DNSSEC-TRUST-ANCHORS.D(5)

     NAME
          dnssec-trust-anchors.d, systemd.positive, systemd.negative -
          DNSSEC trust anchor configuration files

     SYNOPSIS
          /etc/dnssec-trust-anchors.d/*.positive

          /run/dnssec-trust-anchors.d/*.positive

          /usr/lib/dnssec-trust-anchors.d/*.positive

          /etc/dnssec-trust-anchors.d/*.negative

          /run/dnssec-trust-anchors.d/*.negative

          /usr/lib/dnssec-trust-anchors.d/*.negative

     DESCRIPTION
          The DNSSEC trust anchor configuration files define positive
          and negative trust anchors systemd-resolved.service(8) bases
          DNSSEC integrity proofs on.

     POSITIVE TRUST ANCHORS
          Positive trust anchor configuration files contain DNSKEY and
          DS resource record definitions to use as base for DNSSEC
          integrity proofs. See m[blue]RFC 4035, Section 4.4m[][1] for
          more information about DNSSEC trust anchors.

          Positive trust anchors are read from files with the suffix
          .positive located in /etc/dnssec-trust-anchors.d/,
          /run/dnssec-trust-anchors.d/ and
          /usr/lib/dnssec-trust-anchors.d/. These directories are
          searched in the specified order, and a trust anchor file of
          the same name in an earlier path overrides a trust anchor
          files in a later path. To disable a trust anchor file
          shipped in /usr/lib/dnssec-trust-anchors.d/ it is sufficient
          to provide an identically-named file in
          /etc/dnssec-trust-anchors.d/ or /run/dnssec-trust-anchors.d/
          that is either empty or a symlink to /dev/null ("masked").

          Positive trust anchor files are simple text files resembling
          DNS zone files, as documented in m[blue]RFC 1035, Section
          5m[][2]. One DS or DNSKEY resource record may be listed per
          line. Empty lines and lines starting with a semicolon (";")
          are ignored and considered comments. A DS resource record is
          specified like in the following example:

              . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5

          The first word specifies the domain, use "."  for the root

     Page 1                     systemd 247          (printed 5/26/22)

     DNSSEC-TRUST-ANCHORS.D(5)               DNSSEC-TRUST-ANCHORS.D(5)

          domain. The domain may be specified with or without trailing
          dot, which is considered equivalent. The second word must be
          "IN" the third word "DS". The following words specify the
          key tag, signature algorithm, digest algorithm, followed by
          the hex-encoded key fingerprint. See m[blue]RFC 4034,
          Section 5m[][3] for details about the precise syntax and
          meaning of these fields.

          Alternatively, DNSKEY resource records may be used to define
          trust anchors, like in the following example:

              . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=

          The first word specifies the domain again, the second word
          must be "IN", followed by "DNSKEY". The subsequent words
          encode the DNSKEY flags, protocol and algorithm fields,
          followed by the key data encoded in Base64. See m[blue]RFC
          4034, Section 2m[][4] for details about the precise syntax
          and meaning of these fields.

          If multiple DS or DNSKEY records are defined for the same
          domain (possibly even in different trust anchor files), all
          keys are used and are considered equivalent as base for
          DNSSEC proofs.

          Note that systemd-resolved will automatically use a built-in
          trust anchor key for the Internet root domain if no positive
          trust anchors are defined for the root domain. In most cases
          it is hence unnecessary to define an explicit key with trust
          anchor files. The built-in key is disabled as soon as at
          least one trust anchor key for the root domain is defined in
          trust anchor files.

          It is generally recommended to encode trust anchors in DS
          resource records, rather than DNSKEY resource records.

          If a trust anchor specified via a DS record is found revoked
          it is automatically removed from the trust anchor database
          for the runtime. See m[blue]RFC 5011m[][5] for details about
          revoked trust anchors. Note that systemd-resolved will not
          update its trust anchor database from DNS servers
          automatically. Instead, it is recommended to update the
          resolver software or update the new trust anchor via adding
          in new trust anchor files.

          The current DNSSEC trust anchor for the Internet's root
          domain is available at the m[blue]IANA Trust Anchor and
          Keysm[][6] page.

     NEGATIVE TRUST ANCHORS
          Negative trust anchors define domains where DNSSEC
          validation shall be turned off. Negative trust anchor files

     Page 2                     systemd 247          (printed 5/26/22)

     DNSSEC-TRUST-ANCHORS.D(5)               DNSSEC-TRUST-ANCHORS.D(5)

          are found at the same location as positive trust anchor
          files, and follow the same overriding rules. They are text
          files with the .negative suffix. Empty lines and lines whose
          first character is ";" are ignored. Each line specifies one
          domain name which is the root of a DNS subtree where
          validation shall be disabled. For example:

              # Reverse IPv4 mappings
              10.in-addr.arpa
              16.172.in-addr.arpa
              168.192.in-addr.arpa
              ...
              # Some custom domains
              prod
              stag

          Negative trust anchors are useful to support private DNS
          subtrees that are not referenced from the Internet DNS
          hierarchy, and not signed.

          m[blue]RFC 7646m[][7] for details on negative trust anchors.

          If no negative trust anchor files are configured a built-in
          set of well-known private DNS zone domains is used as
          negative trust anchors.

          It is also possibly to define per-interface negative trust
          anchors using the DNSSECNegativeTrustAnchors= setting in
          systemd.network(5) files.

     SEE ALSO
          systemd(1), systemd-resolved.service(8), resolved.conf(5),
          systemd.network(5)

     NOTES
           1. RFC 4035, Section 4.4
              https://tools.ietf.org/html/rfc4035#section-4.4

           2. RFC 1035, Section 5
              https://tools.ietf.org/html/rfc1035#section-5

           3. RFC 4034, Section 5
              https://tools.ietf.org/html/rfc4034#section-5

           4. RFC 4034, Section 2
              https://tools.ietf.org/html/rfc4034#section-2

           5. RFC 5011
              https://tools.ietf.org/html/rfc5011

           6. IANA Trust Anchor and Keys
              https://data.iana.org/root-anchors/root-anchors.xml

     Page 3                     systemd 247          (printed 5/26/22)

     DNSSEC-TRUST-ANCHORS.D(5)               DNSSEC-TRUST-ANCHORS.D(5)

           7. RFC 7646
              https://tools.ietf.org/html/rfc7646

     Page 4                     systemd 247          (printed 5/26/22)