autotrust(8) automated updates of DNSSEC trust anchors.


autotrust [-c configfile] [-d] [-h] [-v verbosity]


autotrust is a standalone application that automatically updates DNSSEC trust anchors. These can be used for DNSSEC aware resolvers like Unbound or BIND9. It is compliant with RFC 5011, with the exception of query intervals and retry times. In order to follow these time recommendations, autotrust should run as a daemon. It is to be called from the commandline once in a while, or from a cron job.


All the configurations need to be set in the configuration file. For more information, see the autotrust.conf.sample.

-c configfile
Use this configfile.
Run as daemon.
Print help information and exit.
-v verbosity
Specify a verbosity level. Setting it to zero will produce no output. Default verbosity level is 1. If verbosity is given in the configfile, the commandline value will be overrided.


default configuration file.

/var/lib/autotrust/autotrust.state default file to store trust anchor state.


autotrust will log all notifications and problems to the specified logfile. If no logfile was specified, output is directed to stderr. If autotrust is not daemonized, it will perform a single active refresh and will return zero code if the refresh was successfull, 1 otherwise.


autotrust was written by NLnet Labs.


Bugreports can be send to [email protected] See TODO for more information.