DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11


Trustman implements RFC5011 which defines "Automated Updates of DNS Security (DNSSEC) Trust Anchors". It does this by continually running as a daemon looking for new keys published by the authoritative zones for which Trust Anchors (TAs) have been configured. Learn how to get started by reading !

Trustman TODO

Trustman TODO. This is a list of todo items for the tool:
  • TODO this was apparently not done yet: verify that getdnskeys functionality is now in trustman, especially the ability to bootstrap trust anchors
    • considering recent TAR improvements and things, this is a larger item and half of it is already done. See Wes for details.
    • This was a dup: TODO Bootstrapping trust-anchors in trustman
  • TODO modify trustman to have to ability to migrate to a higher level trust anchor if we detect all zones between two trust anchors to be signed
  • TODO Need to carefully test rollerd with trustman; saw some dnssec response errors in trustman while rollover operation was being performed (SNIP Workshop)
  • TODO Trustman needs to use correct validator policy (as per dnsval.conf file) while doing validation
  • TODO Trustman needs to be able to work with trust anchors that are encoded as DS records
  • TODO Check revoke operation with BIND and rollerd
  • TODO Support unbound configuration file
    • editing ability needs to be split into a separate file; see convertar details
  • TODO merging functions being provided by other tools (getkeys, tachk) into trustman
    • change: put into modules and make all tools use them (see convertar for module structure)
  • TODO should work well if a software update changes the trust anchors OOB