Maintained by: NLnet Labs

[Unbound-users] DNSSEC trust anchors

Thomas Winget
Tue Sep 30 02:22:24 CEST 2014


Thanks for the quick reply!

So for unbound installed in a default config on a Linux box, that seems
reasonable.  But that doesn't help with Windows, and requires unbound
installed (rather than just e.g. libunbound-dev on *buntu).  I'm hoping to
find a solution that will be very cross-platform friendly and not require
an extra dependency, but I can sacrifice the latter in the interest of the
former if necessary.

On Mon, Sep 29, 2014 at 8:09 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 29 Sep 2014, Thomas Winget wrote:
>
>  Despite my best efforts searching, I can't seem to find the correct way
>> to deal with DNSSEC trust anchors cross-platform.  I would
>> like to enable DNSSEC validation for various DNS-based functions in a
>> program that uses libunbound (C++), but maintaining trust
>> anchors within the git repo is untenable (as some users don't compile
>> from source).  Note: the program uses libunbound for DNS
>> queries, not as a server.
>> Can anyone point me in the right direction for where various OS keep
>> DNSSEC anchors, or if they include them?  Currently we build for
>> Win (XP+), OSX, Linux, and FreeBSD.
>>
>
> Are you referring to the root key and the dlv key? Or are you referring
> to your own customer KSK keys?
>
> fedora/rhel and I believe debian/ubuntu, put the root key in
> /var/lib/unbound/root.anchor maintained by unbound-anchor.
>
> On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key
>
> custom KSKs on fedora/rhel go into /etc/unbound/keys.d
>
> That said, libreswan for example uses libunbound, and it actually
> includes its own copy of the root KSK. I wish we could get to a
> universal key directory, like /etc/dnssec/keys.d or something,
> using a single (bind) format for the key, but I think I will
> have a pony first.
>
> Paul
>



-- 
Thomas Winget
Computer Engineering
Purdue University '12
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140929/bcf387be/attachment.html>