Maintained by: NLnet Labs

[Unbound-users] DNSSec validation

Paul Wouters
Thu Oct 4 23:32:38 CEST 2012


On Thu, 4 Oct 2012, Nikos Mavrogiannopoulos wrote:

> That's the problem this approach would actually solve. You wouldn't need
> to know that because the Debian maintainer would configure the library
> with the correct paths and the same for fedora. We use that approach in
> gnutls for quite some time with success.

I would be happy if libunbound had a compile time option for the root
and dlv keys, or perhaps better, a key directory. That way, if someone
configures custom key (manually or via puppet) then all applications
would know about those keys, whereas otherwise, it would depend on
unbound as a daemon to load these.

Note you should still run a daemon, and forward the appliction's use
via libunbound to the daemon, so all apps basically re-use a cache.

>> 2. How do you know someone (malicious ?) on that system didn't leave a
> key in a place it shouldn't ?
>
> You don't. You rely on your maintainer to correctly compile the package
> for you. If you don't trust him, then you shouldn't be using this OS anyway.

Yes. This is similar to FIPS, though FIPS does take an extra step and
builds in some hmac files to prevent some tampering. But once root
access (with write access to disk) has leaked out, it's pretty much
over.

> I don't think having each application ship its own root keys can be a
> realistic solution.

that would in fact be the _worst_ solution.

Paul