[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: where is the DNSSEC root key?

>>>>> Philipp Kern <pkern@debian.org> writes:
>>>>> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:

 >> Last I looked into this [which has admittedly been a while], Bind 9
 >> was the only DNS server that had actually implemented DNSSEC, and
 >> the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC)
 >> that they were /not/ going to be implementing it.

 > Obviously there are also recursive resolver implementations, like
 > unbound.  To the client they look like DNS servers, too.  (And you
 > really want to use one of them on your local machine to do the DNSSEC
 > validation.)

 > Generally plain servers do not care about the key, it's just the
 > recursive resolvers that need it.

	To note is that dig(1) (of dnsutils) implements such a resolver
	(while not being a DNS server.)  With +sigchase and
	+trusted-key=, it's perfectly capable of DNSSEC validation.

 >> The problem with this idea is that files installed by Debian
 >> packages must be unique in order to avoid file conflicts between
 >> packages.  One way around this issue is via 'alternatives'.

 > Alternatives don't make sense.  A dedicated packages might make some.

	Yes.

	Such a package should also include the ISC DNSSEC Look-aside
	Validation [1] trusted key, BTW.

[1] https://dlv.isc.org/

-- 
FSF associate member #7257
Reply to: