Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Paul Wouters
Wed Oct 3 18:50:50 CEST 2012

On Wed, 3 Oct 2012, Leen Besselink wrote:

> There are 2 problems I think:
> 1. where to look for the key, what is the default on each system (Debian stores it at X, Fedora at Y).

Yes, this is a problem not only between linux distributions but also
between applications software.

> 2. How do you know someone (malicious ?) on that system didn't leave a key in a place it shouldn't ?

Because the key came in through the package manager, and it should be
GPG signed? Though I agree that the application would not perform this
check and I don't think the application should do this check, just like
other applications don't run tripwire to check if they are compromised.

However, it would make sense for the validating resolver to check this
on startup, especially in FIPS mode. But if we do that, we cannot roll
the key when we detect this is happening (eg unbound-anchor wise) and
we must rely on the vendor for the updates, and for a machine that is
shelved for 15 years and misses a root key roll, there is currently no
recovery method.

> But it isn't as easy as shipping the PGP-key from IANA [0] with your application and just check a
> signature of the key either I believe.

Especially seeing that the PGP key there did not sign a simple text
version of the key, but seems to sign for the CA/X509 certs used for
the webserver used at

> So I guess for now the best thing is for the user to specify where it is stored ? And let the
> distribution specify a location in their package ?

I think so. And then there is the additional problem of how you add your
own keys for those DNSSEC islands that are not part of the public DNS