Trustman implements RFC5011 which defines "Automated Updates of DNS Security (DNSSEC) Trust Anchors". It does this by continually running as a daemon looking for new keys published by the authoritative zones for which Trust Anchors (TAs) have been configured.
Learn how to get started by reading the tutorial!
This is a list of todo items for the tool:
- TODO this was apparently not done yet: verify that getdnskeys functionality is now in trustman, especially the ability to bootstrap trust anchors
- considering recent TAR improvements and things, this is a larger item and half of it is already done. See Wes for details.
- This was a dup: TODO Bootstrapping trust-anchors in trustman
- TODO modify trustman to have to ability to migrate to a higher level trust anchor if we detect all zones between two trust anchors to be signed
- TODO Need to carefully test rollerd with trustman; saw some dnssec response errors in trustman while rollover operation was being performed (SNIP Workshop)
- TODO Trustman needs to use correct validator policy (as per dnsval.conf file) while doing validation
- TODO Trustman needs to be able to work with trust anchors that are encoded as DS records
- TODO Check revoke operation with BIND and rollerd
- TODO Support unbound configuration file
- editing ability needs to be split into a separate file; see convertar details
- TODO merging functions being provided by other tools (getkeys, tachk) into trustman
- change: put into modules and make all tools use them (see convertar for module structure)
- TODO should work well if a software update changes the trust anchors OOB