[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: where is the DNSSEC root key?

On Thursday, October 04, 2012 06:42:08, Nikos Mavrogiannopoulos wrote:
> Hello,
>  I've started working with DNSSEC and I noticed a quite important
> issue. The DNSSEC libraries ask for the root key, but where this file
> is located is system specific (meaning no fixed location). Where is
> this key located in debian (let's forget the multiple possible
> formats)? The dnssec wiki in [0] mentions that the package bind9
> contains the key. However this key may be required even without bind9.

Last I looked into this [which has admittedly been a while], Bind 9 was the 
only DNS server that had actually implemented DNSSEC, and the others I looked 
at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to 
be implementing it.

> My request is, whether there can be a fixed file location similar to
> /etc/ssl/certs/ca-certificates.crt that will contain the DNSSEC root
> key either in the bind or the unbound format? That way dnssec
> applications could rely on the debian system to update/obtain the key.

The problem with this idea is that files installed by Debian packages must be 
unique in order to avoid file conflicts between packages.  One way around this 
issue is via 'alternatives'.  [1]

However since all DNS servers are generally meant to use port 53, I think it's 
unlikely to install more than one DNS server locally, so I'm not sure if doing 
this makes sense from a packaging perspective.  [I can see how it does from an 
administration perspective.]

[1]  http://www.debian.org/doc/debian-policy/ap-pkg-alternatives.html

  -- Chris

Chris Knadle
GPG Key: 4096R/0x1E759A726A9FDD74

Reply to: