Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Ondrej Mikle
Thu Oct 4 16:45:53 CEST 2012

On 10/03/2012 04:45 PM, Nikos Mavrogiannopoulos wrote:
> On Wed, Oct 3, 2012 at 2:35 PM, W.C.A. Wijngaards <wouter at> wrote:
>>> Is there some portable way to obtain a DNSSEC trust anchor in a
>>> system? It seems that unlike the other functions which set a
>>> default
>> portable?  I cannot help you with this, perhaps authors of those
>> systems can provide you with their answers.
> I think this shouldn't be left on the unbound application developer.
> Similarly to ub_ctx_hosts() and ub_ctx_resolvconf() there should be an
> option to try some sensible defaults. E.g. try to find the unbound
> root.key file, then try the bind one, and so on. Then patches for the
> various unsupported systems will come to unbound from developers
> working with them. Otherwise this discovery phase will be duplicated
> on every project using unbound, and possibly with varying success.

One option, I think the closest to "platform-independent" would be distributing
the key with the library (like NSS does with builtin certs). Then you can use
ub_ctx_add_ta (see attached sample). Obvious drawback is that you have issue new
version if root key changes or implement key management on your own.

Alternatively, probe for default locations of the key file, then fallback to key
distributed with the library. Also, you could add unbound-anchor to the
distributed archive and run it in a post-install script.

Notes on unbound and defaults:

- I suggest to avoid using forwarder (ub_ctx_set_fwd) as most commonly deployed
recursive DNS resolvers at ISPs will fail for DNSSEC (usually due to DS
records). Instead use libunbound as full recursive resolver. It will take few
queries to get its cache heated, but it's rather quick unless you go over a very
slow network like Tor.
- Attempting to use ub_ctx_hosts() with the default locations on the other hand
might be a good idea in preserving user's mappings for local machines, etc.
- Some distros like Fedora, RHEL and clones distribute unbound with root
anchors, some like Debian/Ubuntu don't. But I generally wouldn't count on the
key being present on a typical user's machine.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound-test.c
Type: text/x-csrc
Size: 4055 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <>