Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Nikos Mavrogiannopoulos
Thu Oct 4 20:00:20 CEST 2012

On 10/03/2012 05:37 PM, Leen Besselink wrote:

> There are 2 problems I think:
> 1. where to look for the key, what is the default on each system (Debian stores it at X, Fedora at Y).

That's the problem this approach would actually solve. You wouldn't need
to know that because the Debian maintainer would configure the library
with the correct paths and the same for fedora. We use that approach in
gnutls for quite some time with success.

> 2. How do you know someone (malicious ?) on that system didn't leave a
key in a place it shouldn't ?

You don't. You rely on your maintainer to correctly compile the package
for you. If you don't trust him, then you shouldn't be using this OS anyway.

> And how do you know this key will actually be updated ?

That's why I suggested this to be handled in libunbound. So that
maintainers set the correct path, of the file that will be updated, at
compile time.

All the problems you mention are not because of my suggestion, they are
already there, but each and every application developer has to deal with
them. I think if unbound deals with it centrally it would be a good
thing for everyone using the library (I could provide an initial patch
if you're interested).

> Guessing for something which is that security sensitive doesn't seem like a good idea to me.
> But it isn't as easy as shipping the PGP-key from IANA [0] with your application and just check a
> signature of the key either I believe.

I don't think having each application ship its own root keys can be a
realistic solution.