Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Nikos Mavrogiannopoulos
Wed Oct 3 16:45:02 CEST 2012


On Wed, Oct 3, 2012 at 2:35 PM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:

>> Is there some portable way to obtain a DNSSEC trust anchor in a
>> system? It seems that unlike the other functions which set a
>> default
> portable?  I cannot help you with this, perhaps authors of those
> systems can provide you with their answers.

I think this shouldn't be left on the unbound application developer.
Similarly to ub_ctx_hosts() and ub_ctx_resolvconf() there should be an
option to try some sensible defaults. E.g. try to find the unbound
root.key file, then try the bind one, and so on. Then patches for the
various unsupported systems will come to unbound from developers
working with them. Otherwise this discovery phase will be duplicated
on every project using unbound, and possibly with varying success.

> The unbound-anchor tool has a default and can be used to also keep
> this key up to date.  It is meant to be used by the operating system
> (e.g. run at startup time), but you could also run it to get a key for
> your program.

I develop a dane library to be used with gnutls and I cannot really
run external applications. I'll try to do the root.key discovery, and
if not found I'll return an error to the library user.

regards,
Nikos