Re: where is the DNSSEC root key?
>>>>> Philipp Kern <pkern@debian.org> writes:
>>>>> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:
>> Last I looked into this [which has admittedly been a while], Bind 9
>> was the only DNS server that had actually implemented DNSSEC, and
>> the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC)
>> that they were /not/ going to be implementing it.
> Obviously there are also recursive resolver implementations, like
> unbound. To the client they look like DNS servers, too. (And you
> really want to use one of them on your local machine to do the DNSSEC
> validation.)
> Generally plain servers do not care about the key, it's just the
> recursive resolvers that need it.
To note is that dig(1) (of dnsutils) implements such a resolver
(while not being a DNS server.) With +sigchase and
+trusted-key=, it's perfectly capable of DNSSEC validation.
>> The problem with this idea is that files installed by Debian
>> packages must be unique in order to avoid file conflicts between
>> packages. One way around this issue is via 'alternatives'.
> Alternatives don't make sense. A dedicated packages might make some.
Yes.
Such a package should also include the ISC DNSSEC Look-aside
Validation [1] trusted key, BTW.
[1] https://dlv.isc.org/
--
FSF associate member #7257
Reply to: