{
    "mode": "info",
    "parameter": "dnssec-trust-anchors.d",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/dnssec-trust-anchors.d/json",
    "generated": "2026-07-05T13:38:48Z",
    "synopsis": "/etc/dnssec-trust-anchors.d/*.positive\n/run/dnssec-trust-anchors.d/*.positive\n/usr/lib/dnssec-trust-anchors.d/*.positive\n/etc/dnssec-trust-anchors.d/*.negative\n/run/dnssec-trust-anchors.d/*.negative\n/usr/lib/dnssec-trust-anchors.d/*.negative",
    "sections": {
        "NAME": {
            "content": "dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC\ntrust anchor configuration files\n",
            "subsections": []
        },
        "SYNOPSIS": {
            "content": "/etc/dnssec-trust-anchors.d/*.positive\n\n/run/dnssec-trust-anchors.d/*.positive\n\n/usr/lib/dnssec-trust-anchors.d/*.positive\n\n/etc/dnssec-trust-anchors.d/*.negative\n\n/run/dnssec-trust-anchors.d/*.negative\n\n/usr/lib/dnssec-trust-anchors.d/*.negative\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "The DNSSEC trust anchor configuration files define positive and\nnegative trust anchors systemd-resolved.service(8) bases DNSSEC\nintegrity proofs on.\n",
            "subsections": []
        },
        "POSITIVE TRUST ANCHORS": {
            "content": "Positive trust anchor configuration files contain DNSKEY and DS\nresource record definitions to use as base for DNSSEC integrity proofs.\nSee RFC 4035, Section 4.4[1] for more information about DNSSEC trust\nanchors.\n\nPositive trust anchors are read from files with the suffix .positive\nlocated in /etc/dnssec-trust-anchors.d/, /run/dnssec-trust-anchors.d/\nand /usr/lib/dnssec-trust-anchors.d/. These directories are searched in\nthe specified order, and a trust anchor file of the same name in an\nearlier path overrides a trust anchor files in a later path. To disable\na trust anchor file shipped in /usr/lib/dnssec-trust-anchors.d/ it is\nsufficient to provide an identically-named file in\n/etc/dnssec-trust-anchors.d/ or /run/dnssec-trust-anchors.d/ that is\neither empty or a symlink to /dev/null (\"masked\").\n\nPositive trust anchor files are simple text files resembling DNS zone\nfiles, as documented in RFC 1035, Section 5[2]. One DS or DNSKEY\nresource record may be listed per line. Empty lines and lines starting\nwith \"#\" or \";\" are ignored, which may be used for commenting. A\n<consant>DS</consant> resource record is specified like in the\nfollowing example:\n\n. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5\n\nThe first word specifies the domain, use \".\"  for the root domain. The\ndomain may be specified with or without trailing dot, which is\nconsidered equivalent. The second word must be \"IN\" the third word\n\"DS\". The following words specify the key tag, signature algorithm,\ndigest algorithm, followed by the hex-encoded key fingerprint. See RFC\n4034, Section 5[3] for details about the precise syntax and meaning of\nthese fields.\n\nAlternatively, DNSKEY resource records may be used to define trust\nanchors, like in the following example:\n\n. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=\n\nThe first word specifies the domain again, the second word must be\n\"IN\", followed by \"DNSKEY\". The subsequent words encode the DNSKEY\nflags, protocol and algorithm fields, followed by the key data encoded\nin Base64. See RFC 4034, Section 2[4] for details about the precise\nsyntax and meaning of these fields.\n\nIf multiple DS or DNSKEY records are defined for the same domain\n(possibly even in different trust anchor files), all keys are used and\nare considered equivalent as base for DNSSEC proofs.\n\nNote that systemd-resolved will automatically use a built-in trust\nanchor key for the Internet root domain if no positive trust anchors\nare defined for the root domain. In most cases it is hence unnecessary\nto define an explicit key with trust anchor files. The built-in key is\ndisabled as soon as at least one trust anchor key for the root domain\nis defined in trust anchor files.\n\nIt is generally recommended to encode trust anchors in DS resource\nrecords, rather than DNSKEY resource records.\n\nIf a trust anchor specified via a DS record is found revoked it is\nautomatically removed from the trust anchor database for the runtime.\nSee RFC 5011[5] for details about revoked trust anchors. Note that\nsystemd-resolved will not update its trust anchor database from DNS\nservers automatically. Instead, it is recommended to update the\nresolver software or update the new trust anchor via adding in new\ntrust anchor files.\n\nThe current DNSSEC trust anchor for the Internet's root domain is\navailable at the IANA Trust Anchor and Keys[6] page.\n",
            "subsections": []
        },
        "NEGATIVE TRUST ANCHORS": {
            "content": "Negative trust anchors define domains where DNSSEC validation shall be\nturned off. Negative trust anchor files are found at the same location\nas positive trust anchor files, and follow the same overriding rules.\nThey are text files with the .negative suffix. Empty lines and lines\nwhose first character is \";\" are ignored. Each line specifies one\ndomain name which is the root of a DNS subtree where validation shall\nbe disabled. For example:\n\n# Reverse IPv4 mappings\n10.in-addr.arpa\n16.172.in-addr.arpa\n168.192.in-addr.arpa\n...\n# Some custom domains\nprod\nstag\n\nNegative trust anchors are useful to support private DNS subtrees that\nare not referenced from the Internet DNS hierarchy, and not signed.\n\nRFC 7646[7] for details on negative trust anchors.\n\nIf no negative trust anchor files are configured a built-in set of\nwell-known private DNS zone domains is used as negative trust anchors.\n\nIt is also possibly to define per-interface negative trust anchors\nusing the DNSSECNegativeTrustAnchors= setting in systemd.network(5)\nfiles.\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "systemd(1), systemd-resolved.service(8), resolved.conf(5),\nsystemd.network(5)\n",
            "subsections": []
        },
        "NOTES": {
            "content": "1. RFC 4035, Section 4.4\nhttps://tools.ietf.org/html/rfc4035#section-4.4\n\n2. RFC 1035, Section 5\nhttps://tools.ietf.org/html/rfc1035#section-5\n\n3. RFC 4034, Section 5\nhttps://tools.ietf.org/html/rfc4034#section-5\n\n4. RFC 4034, Section 2\nhttps://tools.ietf.org/html/rfc4034#section-2\n\n5. RFC 5011\nhttps://tools.ietf.org/html/rfc5011\n\n6. IANA Trust Anchor and Keys\nhttps://data.iana.org/root-anchors/root-anchors.xml\n\n7. RFC 7646\nhttps://tools.ietf.org/html/rfc7646\n\nsystemd 249                                          DNSSEC-TRUST-ANCHORS.D(5)",
            "subsections": []
        }
    },
    "summary": "dnssec-trust-anchors.d, systemd.positive, systemd.negative - DNSSEC trust anchor configuration files",
    "flags": [],
    "examples": [],
    "see_also": [
        {
            "name": "systemd",
            "section": "1",
            "url": "https://www.chedong.com/phpMan.php/man/systemd/1/json"
        },
        {
            "name": "systemd-resolved.service",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/systemd-resolved.service/8/json"
        },
        {
            "name": "resolved.conf",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/resolved.conf/5/json"
        },
        {
            "name": "systemd.network",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/systemd.network/5/json"
        }
    ]
}