[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: where is the DNSSEC root key?

On Thursday, October 04, 2012 10:44:10 PM Philipp Kern wrote:
> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:
> > Last I looked into this [which has admittedly been a while], Bind 9 was
> > the
> > only DNS server that had actually implemented DNSSEC, and the others I
> > looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were
> > /not/ going to be implementing it.
> Obviously there are also recursive resolver implementations, like unbound.
> To the client they look like DNS servers, too. (And you really want to use
> one of them on your local machine to do the DNSSEC validation.)

Obviously I forgot about that case; thanks for pointing this out.
[Likewise I hadn't considered the possiblity of 'dig' being able to do this 

> Generally plain servers do not care about the key, it's just the recursive
> resolvers that need it.

That makes sense; the reason I missed the other cases is that I'm used to 
Bind9, where the recursive resolver /is/ the DNS server.  [Which itself is an 

> > The problem with this idea is that files installed by Debian packages must
> > be unique in order to avoid file conflicts between packages.  One way
> > around this issue is via 'alternatives'.  [1]
> Alternatives don't make sense. A dedicated packages might make some.

Yes I thought about the dedicated package case first, but then realized that 
this would introduce a Depends/Suggests/Recommends on that package to the 
other DNS server packages that are DNSSEC capable.  However being that there's 
clearly a wider use case for the DNSSEC root key, I see what you mean and I 



  -- Chris

Chris Knadle

Reply to: