TACHK(1p) User Contributed Perl Documentation TACHK(1p)NAME
tachk - Check the validity of the trust anchors in a named.conf file
SYNOPSIS
tachk [options] <named.conf>
DESCRIPTION
tachk checks the validity of the trust anchors in the specified named.conf file. The output given depends on the options selected.
Note: This script may be removed in future releases.
OPTIONS
tachk takes two types of options: record-attribute options and output-style options. These option sets are detailed below.
Record-Attribute Options
These options define which trust anchor records will be displayed.
-valid
This option displays the valid trust anchors in a named.conf file.
-invalid
This option displays the invalid trust anchors in a named.conf file.
Output-Format Options
These options define how the trust anchor information will be displayed. Without any of these options, the zone name and key tag will be
displayed for each trust anchor.
-count
The count of matching records will be displayed, but the matching records will not be.
-long
The long form of output will be given. The zone name and key tag will be displayed for each trust anchor.
-terse
This option displays only the name of the zones selected by other options.
-Version
Displays the version information for tachk and the DNSSEC-Tools package.
-help
Display a usage message.
AUTHOR
Wesley Griffin
(Current contact for tachk is Wayne Morrison, tewok@tislabs.com.)
SEE ALSO trustman(8)named.conf(5)perl v5.14.2 2012-06-21 TACHK(1p)
Check Out this Related Man Page
DNSSEC-TRUST-ANCHORS.D(5) dnssec-trust-anchors.d DNSSEC-TRUST-ANCHORS.D(5)NAME
dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC trust anchor configuration files
SYNOPSIS
/etc/dnssec-trust-anchors.d/*.positive
/run/dnssec-trust-anchors.d/*.positive
/usr/lib/dnssec-trust-anchors.d/*.positive
/etc/dnssec-trust-anchors.d/*.negative
/run/dnssec-trust-anchors.d/*.negative
/usr/lib/dnssec-trust-anchors.d/*.negative
DESCRIPTION
The DNSSEC trust anchor configuration files define positive and negative trust anchors systemd-resolved.service(8) bases DNSSEC integrity
proofs on.
POSITIVE TRUST ANCHORS
Positive trust anchor configuration files contain DNSKEY and DS resource record definitions to use as base for DNSSEC integrity proofs. See
RFC 4035, Section 4.4[1] for more information about DNSSEC trust anchors.
Positive trust anchors are read from files with the suffix .positive located in /etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/
and /usr/lib/dnssec-trust-anchors.d/. These directories are searched in the specified order, and a trust anchor file of the same name in an
earlier path overrides a trust anchor files in a later path. To disable a trust anchor file shipped in /usr/lib/dnssec-trust-anchors.d/ it
is sufficient to provide an identically-named file in /etc/dnssec-trust-anchors.d/ or /run/dnssec-trust-anchors.d/ that is either empty or
a symlink to /dev/null ("masked").
Positive trust anchor files are simple text files resembling DNS zone files, as documented in RFC 1035, Section 5[2]. One DS or DNSKEY
resource record may be listed per line. Empty lines and lines starting with a semicolon (";") are ignored and considered comments. A DS
resource record is specified like in the following example:
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
The first word specifies the domain, use "." for the root domain. The domain may be specified with or without trailing dot, which is
considered equivalent. The second word must be "IN" the third word "DS". The following words specify the key tag, signature algorithm,
digest algorithm, followed by the hex-encoded key fingerprint. See RFC 4034, Section 5[3] for details about the precise syntax and meaning
of these fields.
Alternatively, DNSKEY resource records may be used to define trust anchors, like in the following example:
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
The first word specifies the domain again, the second word must be "IN", followed by "DNSKEY". The subsequent words encode the DNSKEY
flags, protocol and algorithm fields, followed by the key data encoded in Base64. See RFC 4034, Section 2[4] for details about the precise
syntax and meaning of these fields.
If multiple DS or DNSKEY records are defined for the same domain (possibly even in different trust anchor files), all keys are used and are
considered equivalent as base for DNSSEC proofs.
Note that systemd-resolved will automatically use a built-in trust anchor key for the Internet root domain if no positive trust anchors are
defined for the root domain. In most cases it is hence unnecessary to define an explicit key with trust anchor files. The built-in key is
disabled as soon as at least one trust anchor key for the root domain is defined in trust anchor files.
It is generally recommended to encode trust anchors in DS resource records, rather than DNSKEY resource records.
If a trust anchor specified via a DS record is found revoked it is automatically removed from the trust anchor database for the runtime.
See RFC 5011[5] for details about revoked trust anchors. Note that systemd-resolved will not update its trust anchor database from DNS
servers automatically. Instead, it is recommended to update the resolver software or update the new trust anchor via adding in new trust
anchor files.
The current DNSSEC trust anchor for the Internet's root domain is available at the IANA Trust Anchor and Keys[6] page.
NEGATIVE TRUST ANCHORS
Negative trust anchors define domains where DNSSEC validation shall be turned off. Negative trust anchor files are found at the same
location as positive trust anchor files, and follow the same overriding rules. They are text files with the .negative suffix. Empty lines
and lines whose first character is ";" are ignored. Each line specifies one domain name which is the root of a DNS subtree where validation
shall be disabled.
Negative trust anchors are useful to support private DNS subtrees that are not referenced from the Internet DNS hierarchy, and not signed.
RFC 7646[7] for details on negative trust anchors.
If no negative trust anchor files are configured a built-in set of well-known private DNS zone domains is used as negative trust anchors.
It is also possibly to define per-interface negative trust anchors using the DNSSECNegativeTrustAnchors= setting in systemd.network(5)
files.
SEE ALSO systemd(1), systemd-resolved.service(8), resolved.conf(5), systemd.network(5)NOTES
1. RFC 4035, Section 4.4
https://tools.ietf.org/html/rfc4035#section-4.4
2. RFC 1035, Section 5
https://tools.ietf.org/html/rfc1035#section-5
3. RFC 4034, Section 5
https://tools.ietf.org/html/rfc4034#section-5
4. RFC 4034, Section 2
https://tools.ietf.org/html/rfc4034#section-2
5. RFC 5011
https://tools.ietf.org/html/rfc5011
6. IANA Trust Anchor and Keys
https://data.iana.org/root-anchors/root-anchors.xml
7. RFC 7646
https://tools.ietf.org/html/rfc7646
systemd 237DNSSEC-TRUST-ANCHORS.D(5)