Automated Updates of DNSSEC Trust Anchors

Autotrust is a commandline tool to automatically update your DNSSEC trust anchors. It is intended to run from a cron job and can run next to any validating resolver. It makes use of ldns and libunbound. The latest release is autotrust version 0.3.1.
It's sha1sum is: 4a173263bcc0b2d1f2e8627453338ef6a796a09c

Autotrust is not maintained anymore. Its functionality is incorporated into Unbound (unbound-anchor).

autotrust 0.3.1

Download: autotrust-0.3.1
Sha1sum: 4a173263bcc0b2d1f2e8627453338ef6a796a09c

Operational notes:
  • Options 'ipv4-only:' and 'ipv6-only:' have been replaced by 'do-ip4:' and 'do-ip6:'.
  • Default value for option 'keep-missing:' has changed from 'forever' to '1 year'.
Features:
  • Log to syslog with the option 'use-syslog: yes'.
  • New option 'resolver-reload:', which you can use to configure a reload call to your nameservers (for example 'unbound-control reload' or 'rndc reload'.
Bugfixes:
  • Bugfix #271: Trust anchors were reset to valid upon writing trusted-keys.
  • ZSKs in trust anchor files were not loaded.
  • typo in configure.ac
  • don't trim string when reading RRs from file (allowing omitted domain names)
  • fix fprintf warning
  • fix space layout in HOWTO
Known issues:
  • Specific add hold-down situation not implemented (see TODO).

Release Notes

autotrust 0.3.0

Download: autotrust-0.3.0
Sha1sum: 7799361dd889e98d7322d6a1e7a20d918ab498a4

Operational notes:
  • The prefix is prepended to the default file locations if --prefix is set.
  • Changed default locations for state-file and config-file from their relative values to '/var/lib/autotrust/autotrust.state' and '/etc/autotrust/autotrust.conf'.
  • The default pidfile points to '/var/run/autotrust.pid'.
Features:
  • Added extensive documentation.
  • Run autotrust as a daemon with the commandline option -d or by specifying daemonize: "yes" in the config file. The daemon can be stopped with kill -TERM 'cat $pidfile'.
Bugfixes:
  • Fix segfault in lib/options.c when include: failed.
  • Configure the autotrust directory with ./configure --with-configdir=$dir. By default, configuration file goes in /etc/autotrust.
  • Un-ignore the --prefix setting when configuring.
  • Override config file option verbosity: with commandline option -v.
  • Fix chattiness when verbosity set to 0.
Known issues:
  • Specific add hold-down situation not implemented (see TODO).

autotrust 0.2.1

Download: autotrust-0.2.1
Sha1sum: 5871d5d489c7ba37ecf2c3fe67ee6b3904629e8c

Operational notes:
  • Changed default locations for state-file and config-file from their relative values to '/var/lib/autotrust/autotrust.state' and '/etc/autotrust/autotrust.conf'.
Features:
  • Allow multiple resolver pidfiles to be configured.
Bugfixes:
  • Minor bugfix in logging to a logfile.
  • Only remove MISSING keys when timer expired AND other VALID keys are known.
  • Do not create symlinks when making a new release.
Known issues:
  • No knowledge of query intervals and retry times.
  • Specific add hold-down situation not implemented (see TODO).

autotrust 0.2.0

Download: autotrust-0.2.0
Sha1sum: ac40459b5b27fb04e531b8e00d3e5df5ae3cd549

Operational notes:
  • Configuration settings cannot be provided at the commandline anymore, they should be set in the configuration file.
  • The 'trust-anchor' option is removed, you should store trust anchors in a trust anchor file.
Features:
  • DS RRs can be configured as trust anchors. They will, of course, not be updated, but their corresponding DNSKEY will be fetched and auto-updated as described in RFC 5011. DS RRs will stay in the trust-anchor file forever.
  • Allow ZSKs in configuration files. They are removed if valid KSKs are known.
  • Print alert messages for MISSING trust anchors to the logfile. Can be turned off by setting the 'alert-missing' configuration option to "no".
  • Included configuration option 'keep-missing', to automatically remove MISSING trust anchors after a while.
  • Allow includes in configuration file.
  • Show the local time of last change in the state file.
  • You can split up trust points into multiple trust anchor files.
Bugfixes:
  • Add missing options in the configuration file sample.
  • Print keytag in trusted-keys clause for clarity.
  • Fix some compiler warnings.
  • Only update trust anchor files when trust anchors validity has changed. Only signal resolver when trust anchor files are correctly updated.
  • Trust points are now sorted in canonical order.
  • Accept quoted DNSKEY dnames in trusted-keys clause.
  • Also check for self-signed REVOKED keys when answer was secure.
  • Additional sanity check guarantees that at least two validated answers with the pending key included are seen, prior to moving it to the validated trust anchor set.
Known issues:
  • No knowledge of query intervals and retry times.
  • Specific add hold-down situation not implemented (see TODO).

autotrust 0.1.0

Download: autotrust-0.1.0
Sha1sum: 64adb04a992dc709d236c711855a5afdefb88b1d

Features:
  • Updates trust anchor files that can be used by validating resolvers.
  • Configurable root hints.
  • Configurable hold-down times.
  • Accepts Unbound trust anchor file and BIND9 trusted keys clause formats.
  • Can signal your resolver when you configure the resolvers pidfile.
Known issues:
  • No knowledge of query intervals and retry times.
  • Can only have one trust-anchor.file and only one trusted-keys.file.
  • DS records are not updated yet.
  • some configure checks are missing.
  • No guarantee that at least two validated DNSKEY RRSets are seen before adding them to the valid trust anchor set, when running autotrust less often than add holddown time.
  • Specific add hold-down situation not implemented (see TODO).
  • Memory leaks in dnskeyset_verify_rrset_sig and ldns_rr_new_frm_str.

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.