OpenDKIM TrustAnchorFile is apparently unused

[DarkCat09]

I just checked opendkim.conf(5) and it says:

TrustAnchorFile (string)

Specifies a file from which trust anchor data should be read when doing DNS queries and applying the DNSSEC protocol. This is currently ignored unless the underlying library is compiled to use Unbound; see the documentation at at http://unbound.net for the expected format of this file.

In Debian packages, OpenDKIM is built without Unbound libs (that's the default), so the trust anchor config is completely ignored if i got it right. Chatmail relays already have a local Unbound resolver for DNSSEC while OpenDKIM does nothing to verify the DNS response.

[j-g00da]

This is doubly unused, as we don't use OpenDKIM for verification anymore (only for signing, verification was moved to filtermail) - so I don't think OpenDKIM does any DNS querries at all.

[j-g00da]

Just checked hickory-resolver docs (which we use for DNS queries in filtermail):

The current root key is bundled into the system, and used by default. This gives validation of DNSKEY and DS records back to the root. NSEC and NSEC3 are implemented.

To enable DNSSEC, enable the dnssec-ring feature.

We should definitely do that, and we also can remove TrustAnchorFile (along with some other unused settings) from opendkim.conf.

[j-g00da]

This is fixed now