#######################################################################
###
### You should NOT modify this file, use the following files instead:
-### - /etc/dnssec-tools/dnsval.conf.head
-### - /etc/dnssec-tools/dnsval.conf.tail
+### - /etc/dnssec-tools/dnsval.conf.head (for specifiing defaults)
+### - /etc/dnssec-tools/dnsval.conf.tail (for overriding)
+###
+### Root-zone trust anchor(s) are in the following file:
+### - /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
+### (you will probably not need to modify it manualy)
###
#######################################################################
#######################################################################
##################################
include /etc/dnssec-tools/dnsval.conf.head
-include /usr/share/dnssec-trust-anchors/root-anchor.dnsval.conf
+include /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
# TRUSTMAN-ACTION bind-include /var/opt/named/named.conf
##################################
trust-oob-answers yes
edns0-size 1492
env-policy enable
- app-policy disable
- log 10:stderr
+ app-policy enable
+ log 5:stderr
;
##################################
# Default policies
##################################
-#: trust-anchor
-# . "974 0 0 MIIDyjCCArKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBLMQ4wDAYDVQQKEwVJQ0FOTjEYMBYGA1UEAxMPSUNBTk4gRE5TU0VDIENBMR8wHQYJKoZIhvcNAQkBExBkbnNzZWNAaWNhbm4ub3JnMB4XDTEwMDcxNDE3MDEyNVoXDTExMDcxNDE3MDEyNVowgbMxDjAMBgNVBAoTBUlDQU5OMQ0wCwYDVQQLEwRJQU5BMTAwLgYDVQQDEydSb290IFpvbmUgS1NLIDIwMTAtMDYtMTZUMjE6MTk6MjQrMDA6MDAxYDBeBggrBgEEAYdoNRNSLiBJTiBEUyAxOTAzNiA4IDIgNDlBQUMxMUQ3QjZGNjQ0NjcwMkU1NEExNjA3MzcxNjA3QTFBNDE4NTUyMDBGRDJDRTFDRERFMzJGMjRFOEZCNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0CAwEAAaNQME4wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSPskJpw53kPPoTuf/ywKTv2A/oIjAdBgNVHQ4EFgQUQRqS+htWdh5iK3HNGv27Q5lfCckwDQYJKoZIhvcNAQELBQADggEBAI+NnJjL8bGgilX7lb5b6eMimeZeRw6fMgkVQzxt9c4kQ6p8h048II4aP8QUBIzeDZtKuvRsyNjM9oil9OUXCNp3NTY/bsr6oSy9kwdz1G/bg7OfEb+3QXPmXTvCPpwCjIBsz9nfXp+bjzJ0vGi0YkVImML9EClLCOfnHtwrG+fQQSjyCeppHZVe354qwjOv/3Lf7gH0m9FudgA4tFZ7ncsmHn2OKSlJZkkdxZegY83ZigxjMCvL2hG1lcRhast6RJSVaAi81mwQhQk2c3h2HM5DhDR1WikGqBeKID//MoI3v2CK43wpm6I/zciC/Avg1tyOtCFHiAR2lD9b9U/M598="
-# dnssec-tools.org DS 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71A476E282
+# Note that ArchLinux distribution by default uses root-zone trust anchor from file
+# /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf and it will get overrided
+# by setting trust-anchor again, so if you want to add your user-specific keys, you
+# should also include the original root zone anchor.
+
+#: trust-anchor
+# dlv.isc.org DS 19297 5 2 A11D16F6733983E159EDF8053B2FB57B479D81A309A50EAA79A81AF4 8A47C617
+# dlv.isc.org DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46
#;
#: zone-security-expectation
# . validate
-# dnssec-tools.org validate
+#;
+
+#: dlv-trust-points
+# . dlv.isc.org
#;
: provably-insecure-status
. trusted
;
-: clock-skew
- . 0
-;
+#: clock-skew
+# . 0
+#;
##################################
# MTA Policies
##################################
-mta provably-insecure-status
- . trusted
-;
+#mta provably-insecure-status
+# . trusted
+#;
-mta clock-skew
- . -1
-;
+#mta clock-skew
+# . -1
+#;
##################################
# Web Browser Policies
##################################
-browser provably-insecure-status
- . trusted
-;
+#browser provably-insecure-status
+# . trusted
+#;
-browser clock-skew
- . 0
-;
+#browser clock-skew
+# . 0
+#;
##################################