Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Leen Besselink
Thu Aug 23 11:43:32 CEST 2012


On Thu, Aug 23, 2012 at 11:14:57AM +0200, Leen Besselink wrote:
> On Wed, Aug 22, 2012 at 09:20:08PM -0700, Bry8 Star wrote:
> > Hi,
> 
> Hi,
> 
> > There are many other Root servers other than ICANN Root servers. For
> > example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC
> > (http://www.opennicproject.org/), New Nations (New-Nations.net),
> > Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org),  42
> > (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual
> > DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot
> > (unifiedroot.com), etc.
> > 
> > How can i integrate all into one Unbound or into a central Unbound ? to
> > use their all TLDs, which are not found in default ICANN/IANA root servers.
> > 
> 
> That is gonna be an interresting journey to get that working if you want
> DNSSEC.
> 
> Extra root servers, especially with DNSSEC, seems kind of unlikely to me.
> 
> As the ICANN root is signed, you can't really add other data to a signed zone
> at the same level as far as I know.
> 
> Extra TLD's should be possible.
> 
> You'll need a stub-zone and (auto-)trust-anchor for each TLD that supports DNSSEC.
> 
> However a validating resolver on a desktop/laptop/mobile device which does not
> have that installed would reject the data.
> 

I should probably add:

As the above is the case, I wouldn't be surprised that this won't work in 5 or 10 years.

It might be that by then a significant number of hosts will have a DNSSEC-validator
and enabled by default.

If you run an alternative TLD, it would be a good idea in the long run to look
at registering your TLD at ICANN.

The other alternative is browser- or OS-addons which handle the alternative TLDs, but
as more and more different devices get Internet enabled. It might need to be created
for many platforms.

> Not many of those around though. Not yet anyway, but Chrome already has a DNSSEC-validator,
> they are adding a DNS-resolver and they have a way of updating the root key. 
> 
> The solution for not having to create such a large configuration file might
> be that someone,  probably the alternative root or TLD operators, could create
> a DLV-registery.
> 
> That might help.
>  
> But I'm not expert on DLV.
> 
> > Thanks for your all help.
> > ~ Bry8Star.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users