[Unbound-users] DNSSEC trust anchors

Paul Wouters paul at nohats.ca
Tue Sep 30 00:09:09 UTC 2014


On Mon, 29 Sep 2014, Thomas Winget wrote:

> Despite my best efforts searching, I can't seem to find the correct way to deal with DNSSEC trust anchors cross-platform.  I would
> like to enable DNSSEC validation for various DNS-based functions in a program that uses libunbound (C++), but maintaining trust
> anchors within the git repo is untenable (as some users don't compile from source).  Note: the program uses libunbound for DNS
> queries, not as a server.
> Can anyone point me in the right direction for where various OS keep DNSSEC anchors, or if they include them?  Currently we build for
> Win (XP+), OSX, Linux, and FreeBSD.

Are you referring to the root key and the dlv key? Or are you referring
to your own customer KSK keys?

fedora/rhel and I believe debian/ubuntu, put the root key in
/var/lib/unbound/root.anchor maintained by unbound-anchor.

On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key

custom KSKs on fedora/rhel go into /etc/unbound/keys.d

That said, libreswan for example uses libunbound, and it actually
includes its own copy of the root KSK. I wish we could get to a
universal key directory, like /etc/dnssec/keys.d or something,
using a single (bind) format for the key, but I think I will
have a pony first.

Paul



More information about the Unbound-users mailing list