Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Leen Besselink
Wed Oct 3 19:29:12 CEST 2012


On Wed, Oct 03, 2012 at 12:50:50PM -0400, Paul Wouters wrote:
> On Wed, 3 Oct 2012, Leen Besselink wrote:
> 
> >There are 2 problems I think:
> >
> >1. where to look for the key, what is the default on each system (Debian stores it at X, Fedora at Y).
> 
> Yes, this is a problem not only between linux distributions but also
> between applications software.
> 
> >2. How do you know someone (malicious ?) on that system didn't leave a key in a place it shouldn't ?
> 
> Because the key came in through the package manager, and it should be
> GPG signed? Though I agree that the application would not perform this
> check and I don't think the application should do this check, just like
> other applications don't run tripwire to check if they are compromised.
> 
> However, it would make sense for the validating resolver to check this
> on startup, especially in FIPS mode. But if we do that, we cannot roll
> the key when we detect this is happening (eg unbound-anchor wise) and
> we must rely on the vendor for the updates, and for a machine that is
> shelved for 15 years and misses a root key roll, there is currently no
> recovery method.
> 
> >But it isn't as easy as shipping the PGP-key from IANA [0] with your application and just check a
> >signature of the key either I believe.
> 
> Especially seeing that the PGP key there did not sign a simple text
> version of the key, but seems to sign for the CA/X509 certs used for
> the webserver used at data.iana.org.
> 

I'm still left wondering who came up with that. :-)

My best guess is at least certain people they know already had the PGP-key.

> >So I guess for now the best thing is for the user to specify where it is stored ? And let the
> >distribution specify a location in their package ?
> 
> I think so. And then there is the additional problem of how you add your
> own keys for those DNSSEC islands that are not part of the public DNS
> view.
> 

So what you really want is for distributions to use something like unbound-anchor but it needs to
support updating other anchors (which it currently does not ?).

Then you let the user or distribution (when your application is packaged) specify what directory to look for the keys ? 

The file contains the domainname the key belows to.

(I just looked at unbound-anchor, I didn't know it had the IANA-cert builtin and supports HTTPS)

DNSSEC validation on client machines is complicated anyway, you need the right time. But when you want to talk to a
NTP server you probably depend on DNS...

DNSSEC is great, but not simple. ;-)

> Paul