Trustman

Trustman implements RFC5011 which defines "Automated Updates of DNS Security (DNSSEC) Trust Anchors". It does this by continually running as a daemon looking for new keys published by the authoritative zones for which Trust Anchors (TAs) have been configured. Learn how to get started by reading !

Trustman TODO

Trustman TODO. This is a list of todo items for the tool:

• TODO this was apparently not done yet: verify that getdnskeys functionality is now in trustman, especially the ability to bootstrap trust anchors
• considering recent TAR improvements and things, this is a larger item and half of it is already done. See Wes for details.
• This was a dup: TODO Bootstrapping trust-anchors in trustman

• TODO modify trustman to have to ability to migrate to a higher level trust anchor if we detect all zones between two trust anchors to be signed

• TODO Need to carefully test rollerd with trustman; saw some dnssec response errors in trustman while rollover operation was being performed (SNIP Workshop)

• TODO Trustman needs to use correct validator policy (as per dnsval.conf file) while doing validation

• TODO Trustman needs to be able to work with trust anchors that are encoded as DS records

• TODO Check revoke operation with BIND and rollerd

• TODO Support unbound configuration file
• editing ability needs to be split into a separate file; see convertar details

• TODO merging functions being provided by other tools (getkeys, tachk) into trustman
• change: put into modules and make all tools use them (see convertar for module structure)

• TODO should work well if a software update changes the trust anchors OOB