Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Paul Wouters
Wed Oct 3 16:00:14 CEST 2012


On Wed, 3 Oct 2012, Nikos Mavrogiannopoulos wrote:

> On Wed, Oct 3, 2012 at 10:58 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
>
>> The trust anchor was working all along, just fine.
>
> Is there some portable way to obtain a DNSSEC trust anchor in a
> system? It seems that unlike the other functions which set a default
> when NULL, the NULL value in the _ta_file() causes a crash. Otherwise
> is checking for /etc/unbound/root.key a sensible default?

I wish there was, but it seems we as a community have failed to make
that happen. The bind format was first, and unbound supports it, then it
added another format to be able to manage rolling the key. So now we
have two formats with two different feature sets.

I haven't yet figured out the best way to manage this. It is also
confusing because the same libunbound functions don't take the different
formats, and you have to change your library function depending on the
format.

Paul