Trustman

From DNSSEC-Tools Wiki

Trustman implements RFC5011 which defines "Automated Updates of DNS Security (DNSSEC) Trust Anchors". It does this by continually running as a daemon looking for new keys published by the authoritative zones for which Trust Anchors (TAs) have been configured.

Learn how to get started by reading the tutorial!

Trustman TODO

This is a list of todo items for the tool:

• document code
• DONE: review use of -f --foreground vs. -S --single_run
  • the -f option was modified to run in the foreground, but to loop
  • the -S option is meant to be used when trustman should simply be run once.

• DONE: review RFC 5011 to verify that trustman implements everything. The original design was based on the draft(s) of this document

• DONE: still nothing that I know of. may have something from the folks at TeliaSonera in the future. they will keep us updated on their progress. [research whether there are any now-existing implementations which provide a revoke bit. The original implementation of trustman was written to the standard, but there was no implementation of the revoke bit upon which to actually test.]

• TODO: this was apparently not done yet: verify that getdnskeys functionality is now in trustman, especially the ability to bootstrap trust anchors

• DONE: verify that more than one trust anchor file can be used per instantiation

• modify trustman to have to ability to migrate to a higher level trust anchor if we detect all zones between two trust anchors to be signed

• Need to carefully test rollerd with trustman; saw some dnssec response errors in trustman while rollover operation was being performed (SNIP Workshop)

• DONE: found a library problem, and documented a fix for it on the dnssec-tools installation page. Check fresh install of trustman (Scott Rose says that there are installation problems)

• Trustman needs to use correct validator policy (as per dnsval.conf file) while doing validation

• Trustman needs to be able to work with trust anchors that are encoded as DS records