Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: AIX 6.1 Self-Signed Cert Creation Issue
Homework and Emergencies Emergency UNIX and Linux Support AIX 6.1 Self-Signed Cert Creation Issue Post 302601844 by DGPickett on Friday 24th of February 2012 02:08:02 PM
Old 02-24-2012
It should not be that hard, and then the chain of trust ends at you. It's nice to make one for an org, tied to a trustworthy user and host in the local domain. It might not inspire trust outside, but that is no problem on the intranet.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Solaris 9 NIS user creation issue

Helloo to all... what is the correct way to assign a password to a new NIS user on a NIS master server? When I the following: useradd -s /bin/bash -d /export/home/username -m username The user get created fine but when I try to assign a password I get: #passwd username... (0 Replies)
Discussion started by: GLJ@USC
0 Replies

2. AIX

pid number creation rules on aix

Hello, On a AIX 5.3.5.0 server, we have PID exceeding 999999. This cause some troubles in our programms. I would like to know the process creation rules on aix : - what is the maximum pid number ? - what is the wrap limit on aix, and where to find it, how to configure pid wrap limit ? -... (3 Replies)
Discussion started by: astjen
3 Replies

3. AIX

aix cert 223 need help.

Hi, a friend of mine passed there 223 last year and they gave me there testkiller document which was 65 questions, i am looking at doing my 223 exam and i have gone to testkiller recently and noticed there is an updated version which is now 383 questions. I did the ibm pre-exam and all the... (1 Reply)
Discussion started by: rorted
1 Replies

4. Solaris

Solaris 10 11/06 Zone creation issue

Hi, I am new to zone creations in solaris 10. When I try to create a zone with "set ip-type=exclusive" it gives the usage. OS == Solaris 10 11/06 s10s_u3wos_10 SPARC Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license... (17 Replies)
Discussion started by: niman
17 Replies

5. Solaris

core file creation issue

Hi, There are servers SERVER1 and SERVER2. Both have Sun Solaris 5.1 operating system . A binary file called "Runme" is running in SERVER1 without any issues. But same binary file " Runme" creates core file while exiting . Both operating systems have similar setups. What would be the reason for... (1 Reply)
Discussion started by: joe.mani
1 Replies

6. AIX

AIX Bunch of printers queue creation script - HELP

I'd seek for help on how to create a bunch of printers in AIX 6.x or equal or above in one go – say like I have 35 printers to create in 4 different AIX Nodes every month – I currently create it manually like below:- How can I automatic this creation on all the 4-5 Nodes – not actually automatic... (3 Replies)
Discussion started by: shiv2001in
3 Replies

7. UNIX for Advanced & Expert Users

"Signed Linux" - Only executing signed programs

Hey folks, not sure whether this or the security board is the right forum. If I failed, please move :) So here's the problem: I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from... (5 Replies)
Discussion started by: disaster
5 Replies

8. Solaris

Issue with log creation

Hi, some logs are not getting created under the required folder, which was working fine when i saw last time(15days back). Thought may be some issue with syslog deamon and did lot of R&D. Still not able to fix the bug.:wall: Is there any one to help me out ? Quick response will be appreciated.... (6 Replies)
Discussion started by: Sricharan21
6 Replies

9. UNIX for Dummies Questions & Answers

Query: How to install commercial cert into AIX and use it for FTPS connection

Hi Techies, I wish to check with everyone here something regarding Configuration of FTPS Server in AIX using Commercial Digital Cert instead of Sel Sign Cert. I'm working as system integration designer and I'm currently working on a interface which involves integration btw two systems using... (6 Replies)
Discussion started by: mkmuraly
6 Replies

10. Shell Programming and Scripting

File system creation script on AIX 6.1 using while loop

#!/bin/sh echo "VG: " read VG echo "LP: " read LP echo "SAP: " read SAP echo "NUM: " read NUM echo "SID: " read SID while ]; read VG LP SAP NUM SID ; do mklv -y $SAP$NUM -t jfs2 -e x $VG $LP; crfs -v jfs2 -d /dev/$SAP$NUM -m /oracle/$SID/$SAP$NUM ... (14 Replies)
Discussion started by: arorap
14 Replies

LEARN ABOUT ULTRIX

dnssec-trust-anchors.d

DNSSEC-TRUST-ANCHORS.D(5)				      dnssec-trust-anchors.d					 DNSSEC-TRUST-ANCHORS.D(5)

NAME

       dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC trust anchor configuration files

SYNOPSIS

       /etc/dnssec-trust-anchors.d/*.positive

       /run/dnssec-trust-anchors.d/*.positive

       /usr/lib/dnssec-trust-anchors.d/*.positive

       /etc/dnssec-trust-anchors.d/*.negative

       /run/dnssec-trust-anchors.d/*.negative

       /usr/lib/dnssec-trust-anchors.d/*.negative

DESCRIPTION

       The DNSSEC trust anchor configuration files define positive and negative trust anchors systemd-resolved.service(8) bases DNSSEC integrity
       proofs on.

POSITIVE TRUST ANCHORS

       Positive trust anchor configuration files contain DNSKEY and DS resource record definitions to use as base for DNSSEC integrity proofs. See
       RFC 4035, Section 4.4[1] for more information about DNSSEC trust anchors.

       Positive trust anchors are read from files with the suffix .positive located in /etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/
       and /usr/lib/dnssec-trust-anchors.d/. These directories are searched in the specified order, and a trust anchor file of the same name in an
       earlier path overrides a trust anchor files in a later path. To disable a trust anchor file shipped in /usr/lib/dnssec-trust-anchors.d/ it
       is sufficient to provide an identically-named file in /etc/dnssec-trust-anchors.d/ or /run/dnssec-trust-anchors.d/ that is either empty or
       a symlink to /dev/null ("masked").

       Positive trust anchor files are simple text files resembling DNS zone files, as documented in RFC 1035, Section 5[2]. One DS or DNSKEY
       resource record may be listed per line. Empty lines and lines starting with a semicolon (";") are ignored and considered comments. A DS
       resource record is specified like in the following example:

	   . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5

       The first word specifies the domain, use "."  for the root domain. The domain may be specified with or without trailing dot, which is
       considered equivalent. The second word must be "IN" the third word "DS". The following words specify the key tag, signature algorithm,
       digest algorithm, followed by the hex-encoded key fingerprint. See RFC 4034, Section 5[3] for details about the precise syntax and meaning
       of these fields.

       Alternatively, DNSKEY resource records may be used to define trust anchors, like in the following example:

	   . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=

       The first word specifies the domain again, the second word must be "IN", followed by "DNSKEY". The subsequent words encode the DNSKEY
       flags, protocol and algorithm fields, followed by the key data encoded in Base64. See RFC 4034, Section 2[4] for details about the precise
       syntax and meaning of these fields.

       If multiple DS or DNSKEY records are defined for the same domain (possibly even in different trust anchor files), all keys are used and are
       considered equivalent as base for DNSSEC proofs.

       Note that systemd-resolved will automatically use a built-in trust anchor key for the Internet root domain if no positive trust anchors are
       defined for the root domain. In most cases it is hence unnecessary to define an explicit key with trust anchor files. The built-in key is
       disabled as soon as at least one trust anchor key for the root domain is defined in trust anchor files.

       It is generally recommended to encode trust anchors in DS resource records, rather than DNSKEY resource records.

       If a trust anchor specified via a DS record is found revoked it is automatically removed from the trust anchor database for the runtime.
       See RFC 5011[5] for details about revoked trust anchors. Note that systemd-resolved will not update its trust anchor database from DNS
       servers automatically. Instead, it is recommended to update the resolver software or update the new trust anchor via adding in new trust
       anchor files.

       The current DNSSEC trust anchor for the Internet's root domain is available at the IANA Trust Anchor and Keys[6] page.

NEGATIVE TRUST ANCHORS

       Negative trust anchors define domains where DNSSEC validation shall be turned off. Negative trust anchor files are found at the same
       location as positive trust anchor files, and follow the same overriding rules. They are text files with the .negative suffix. Empty lines
       and lines whose first character is ";" are ignored. Each line specifies one domain name which is the root of a DNS subtree where validation
       shall be disabled.

       Negative trust anchors are useful to support private DNS subtrees that are not referenced from the Internet DNS hierarchy, and not signed.

       RFC 7646[7] for details on negative trust anchors.

       If no negative trust anchor files are configured a built-in set of well-known private DNS zone domains is used as negative trust anchors.

       It is also possibly to define per-interface negative trust anchors using the DNSSECNegativeTrustAnchors= setting in systemd.network(5)
       files.

SEE ALSO

       systemd(1), systemd-resolved.service(8), resolved.conf(5), systemd.network(5)

NOTES

	1. RFC 4035, Section 4.4
	   https://tools.ietf.org/html/rfc4035#section-4.4

	2. RFC 1035, Section 5
	   https://tools.ietf.org/html/rfc1035#section-5

	3. RFC 4034, Section 5
	   https://tools.ietf.org/html/rfc4034#section-5

	4. RFC 4034, Section 2
	   https://tools.ietf.org/html/rfc4034#section-2

	5. RFC 5011
	   https://tools.ietf.org/html/rfc5011

	6. IANA Trust Anchor and Keys
	   https://data.iana.org/root-anchors/root-anchors.xml

	7. RFC 7646
	   https://tools.ietf.org/html/rfc7646

systemd 237														 DNSSEC-TRUST-ANCHORS.D(5)
All times are GMT -4. The time now is 03:57 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy