Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Leen Besselink
Wed Oct 3 17:37:23 CEST 2012

On Wed, Oct 03, 2012 at 04:45:02PM +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, Oct 3, 2012 at 2:35 PM, W.C.A. Wijngaards <wouter at> wrote:
> >> Is there some portable way to obtain a DNSSEC trust anchor in a
> >> system? It seems that unlike the other functions which set a
> >> default
> > portable?  I cannot help you with this, perhaps authors of those
> > systems can provide you with their answers.
> I think this shouldn't be left on the unbound application developer.
> Similarly to ub_ctx_hosts() and ub_ctx_resolvconf() there should be an
> option to try some sensible defaults. E.g. try to find the unbound
> root.key file, then try the bind one, and so on. Then patches for the
> various unsupported systems will come to unbound from developers
> working with them. Otherwise this discovery phase will be duplicated
> on every project using unbound, and possibly with varying success.
> > The unbound-anchor tool has a default and can be used to also keep
> > this key up to date.  It is meant to be used by the operating system
> > (e.g. run at startup time), but you could also run it to get a key for
> > your program.
> I develop a dane library to be used with gnutls and I cannot really
> run external applications. I'll try to do the root.key discovery, and
> if not found I'll return an error to the library user.

There are 2 problems I think:

1. where to look for the key, what is the default on each system (Debian stores it at X, Fedora at Y).

2. How do you know someone (malicious ?) on that system didn't leave a key in a place it shouldn't ?

And how do you know this key will actually be updated ?

Guessing for something which is that security sensitive doesn't seem like a good idea to me.

But it isn't as easy as shipping the PGP-key from IANA [0] with your application and just check a
signature of the key either I believe.

So I guess for now the best thing is for the user to specify where it is stored ? And let the
distribution specify a location in their package ?


> regards,
> Nikos
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at