Trustman

From DNSSEC-Tools
Jump to: navigation, search
{{#if:1| {{#if:| {{#if:1| {{#if:1| {{#if:| {{#if:|
DNSSEC-Tools Component
trustman
This describes trustman, which in the Recursive Server Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: trustman
Tool Type: Recursive Server Tools
Manual: Manual

}}

Example: Example

}}

CLI: Help

}}

Tutorial: Tutorial

}}

How To: How To

}}

Download: trustman

}}

Trustman implements RFC5011 which defines "Automated Updates of DNS Security (DNSSEC) Trust Anchors". It does this by continually running as a daemon looking for new keys published by the authoritative zones for which Trust Anchors (TAs) have been configured.

Learn how to get started by reading the tutorial!

Trustman TODO

This is a list of todo items for the tool:

  • TODO this was apparently not done yet: verify that getdnskeys functionality is now in trustman, especially the ability to bootstrap trust anchors
    • considering recent TAR improvements and things, this is a larger item and half of it is already done. See Wes for details.
    • This was a dup: TODO Bootstrapping trust-anchors in trustman
  • TODO modify trustman to have to ability to migrate to a higher level trust anchor if we detect all zones between two trust anchors to be signed
  • TODO Need to carefully test rollerd with trustman; saw some dnssec response errors in trustman while rollover operation was being performed (SNIP Workshop)
  • TODO Trustman needs to use correct validator policy (as per dnsval.conf file) while doing validation
  • TODO Trustman needs to be able to work with trust anchors that are encoded as DS records
  • TODO Check revoke operation with BIND and rollerd
  • TODO Support unbound configuration file
    • editing ability needs to be split into a separate file; see convertar details


  • TODO merging functions being provided by other tools (getkeys, tachk) into trustman
    • change: put into modules and make all tools use them (see convertar for module structure)
  • TODO should work well if a software update changes the trust anchors OOB