Re: where is the DNSSEC root key?
On Thursday, October 04, 2012 10:44:10 PM Philipp Kern wrote:
> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:
> > Last I looked into this [which has admittedly been a while], Bind 9 was
> > the
> > only DNS server that had actually implemented DNSSEC, and the others I
> > looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were
> > /not/ going to be implementing it.
> Obviously there are also recursive resolver implementations, like unbound.
> To the client they look like DNS servers, too. (And you really want to use
> one of them on your local machine to do the DNSSEC validation.)
Obviously I forgot about that case; thanks for pointing this out.
[Likewise I hadn't considered the possiblity of 'dig' being able to do this
> Generally plain servers do not care about the key, it's just the recursive
> resolvers that need it.
That makes sense; the reason I missed the other cases is that I'm used to
Bind9, where the recursive resolver /is/ the DNS server. [Which itself is an
> > The problem with this idea is that files installed by Debian packages must
> > be unique in order to avoid file conflicts between packages. One way
> > around this issue is via 'alternatives'. 
> Alternatives don't make sense. A dedicated packages might make some.
Yes I thought about the dedicated package case first, but then realized that
this would introduce a Depends/Suggests/Recommends on that package to the
other DNS server packages that are DNSSEC capable. However being that there's
clearly a wider use case for the DNSSEC root key, I see what you mean and I