[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

for those who care about unbound (resolvconf and DNSSEC)


i'd like to get some feedback on whether i should implement some changes
in the unbound debian packaging:

    * integration with resolvconf as a provider of recursive DNS
      resolution. (#562031)

    * retrieving a list of upstream recursive DNS servers from
      resolvconf and automatically configuring these servers as
      forwarders, and deconfiguring them when they are no longer
      available. (#567879)

    * enabling DNSSEC validation by default. (#594911)

i'm inclined to implement all three of these features and make them each
individually toggle-able via /etc/default/unbound, and to enable these
features by default, but i would like to hear some wider opinions.  (i
have never even used resolvconf before.)

there are some sub-issues such as:

    * automatically creating key material and configuration for
      unbound-control (a la bind9 and rndc) so that unbound-control can
      be used to reload the forwarder configuration without dumping the

    * making sure we don't accidentally attempt to configure ourselves
      as a forwarder.

    * how, or whether to include the root trust anchor.  unbound now has
      a utility called unbound-anchor which attempts to fetch an updated
      root trust anchor from https://data.iana.org/root-anchors/, using
      a built-in copy of the ICANN HTTPS cert (so, it doesn't rely on
      x509 PKI); failing that, it writes out a built-in copy of the root
      trust anchor.

      it would be possible to invoke unbound-anchor in the unbound
      postinst in order to write out a trust anchor file into e.g.
      /var/cache/unbound, which is then referenced by the unbound config
      file, and it would also be possible to re-invoke unbound-anchor in
      the unbound init script.  this would mean that a DNS server with
      the unbound package would cause HTTPS connections to be made,
      although if these connections failed there would be a fall-back
      trust anchor used.

      it's possible that at some point in the future old versions of
      unbound-anchor would no longer be able to securely generate an
      up-to-date root trust anchor file, but i believe this could be
      adequately handled by a stable-security or stable point release

Robert Edmonds

Attachment: signature.asc
Description: Digital signature

Reply to: