# info > DNSSEC-TRUST-ANCHORS.D

---
type: CommandReference
command: dnssec-trust-anchors.d
mode: man
section: "5"
source: man-pages
---

## Quick Reference
- `echo '. IN DS 19036 8 2 ...' > /etc/dnssec-trust-anchors.d/root.positive` — Add a DS trust anchor for the root domain
- `echo '. IN DNSKEY 257 3 8 ...' > /etc/dnssec-trust-anchors.d/root.positive` — Add a DNSKEY trust anchor for the root domain
- `ln -s /dev/null /etc/dnssec-trust-anchors.d/builtin.positive` — Mask (disable) a built-in trust anchor
- `echo 'corp.example.com' > /etc/dnssec-trust-anchors.d/corp.negative` — Disable DNSSEC validation for a domain
- `echo '10.in-addr.arpa' >> /etc/dnssec-trust-anchors.d/private.negative` — Disable validation for a reverse lookup subnet

## Name
DNSSEC trust anchor configuration files for `systemd-resolved.service(8)`

## Synopsis
/etc/dnssec-trust-anchors.d/*.positive
/run/dnssec-trust-anchors.d/*.positive
/usr/lib/dnssec-trust-anchors.d/*.positive

/etc/dnssec-trust-anchors.d/*.negative
/run/dnssec-trust-anchors.d/*.negative
/usr/lib/dnssec-trust-anchors.d/*.negative
## Options
- **Positive trust anchors (.positive files):**  
  Define one DS or DNSKEY record per line. Empty lines and comments (`#` or `;`) are ignored.
  - `DS` record: `domain IN DS keytag algorithm digest_type hex_fingerprint`  
    Example: `. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5`
  - `DNSKEY` record: `domain IN DNSKEY flags protocol algorithm base64_key_data`  
    Example: `. IN DNSKEY 257 3 8 AwEAAag...`  
  Domain may have a trailing dot; it is equivalent.

- **Negative trust anchors (.negative files):**  
  One domain per line (no trailing dot). DNSSEC validation is disabled for the entire subtree of that domain. Comments start with `;`.  
  Example: `corp.example.com`, `10.in-addr.arpa`

- **File discovery and precedence:**  
  Directories are searched in order: `/etc/` → `/run/` → `/usr/lib/`. A file with the same name in an earlier directory overrides later ones. An empty file or a symlink to `/dev/null` disables (masks) a trust anchor from a lower-priority directory.

- **Built-in anchors:**  
  - A hardcoded root trust anchor is used if no explicit root positive anchor exists. Adding any root anchor disables the built-in one.  
  - A default set of negative trust anchors for well-known private zones is used if no `.negative` files are present.  
  - Per-interface negative anchors can be set via `DNSSECNegativeTrustAnchors=` in `systemd.network(5)`.

- **Revoked anchors:**  
  If an anchor specified via a `DS` record is found revoked, it is automatically removed from the runtime database. `systemd-resolved` does not automatically update anchors from DNS; update trust anchor files manually.

## Examples
**DS trust anchor for the root domain** (IANA root key 2010):
text
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
**DNSKEY trust anchor for the root domain** (root KSK 2010):
text
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
**Negative trust anchors** (disable validation for private reverse zones):
text
10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
prod
stag
## See Also
[systemd(1)](http://localhost/phpMan.php/man/systemd/1/markdown), [systemd-resolved.service(8)](http://localhost/phpMan.php/man/systemd-resolved.service/8/markdown), [resolved.conf(5)](http://localhost/phpMan.php/man/resolved.conf/5/markdown), [systemd.network(5)](http://localhost/phpMan.php/man/systemd.network/5/markdown)