getdns version 1.2 includes support for automatic trust anchor management - 'zero configuration DNSSEC'. We plan to improve DNSSEC support in a future release so that errors in configuration are reported to the user.
If using a version
earlier than 1.2 then DNSSEC support also requires that a trust anchor is manually installed and managed on the system. We recommend
Storage of Zero-config Trust anchor
When the system-level user does have a home directory, stubby will store the for Zero configuration DNSSEC dynamically acquired root trust anchor in a subdirectory called ".getdns" of that home directory. If the system-level user does not have a home directory or the home directory is not writeable or readable, stubby will fallback to the current working directory.
This can be overruled by supplying a "
appdata_dir" in the
stubby.yml configuration file. When a "
appdata_dir" was specified, that directory will be used for storing data related to Zero configuration DNSSEC immediately, without the other paths being tried. It is recommended for systemd setups using the provided systemd.service file(s) to have a "
appdata_dir" directive set to "
/var/cache/stubby" in the stubby.yml configuration file.
Note that using DNSSEC can add a small performance overhead because it increases the number of queries required to resolve a DNS request.
In the 0.1.2 release of stubby there is runtime logging, which can be turned on by using the '-l' flag.