Re: where is the DNSSEC root key?
On Thursday, October 04, 2012 06:42:08, Nikos Mavrogiannopoulos wrote:
> Hello,
> I've started working with DNSSEC and I noticed a quite important
> issue. The DNSSEC libraries ask for the root key, but where this file
> is located is system specific (meaning no fixed location). Where is
> this key located in debian (let's forget the multiple possible
> formats)? The dnssec wiki in [0] mentions that the package bind9
> contains the key. However this key may be required even without bind9.
Last I looked into this [which has admittedly been a while], Bind 9 was the
only DNS server that had actually implemented DNSSEC, and the others I looked
at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to
be implementing it.
> My request is, whether there can be a fixed file location similar to
> /etc/ssl/certs/ca-certificates.crt that will contain the DNSSEC root
> key either in the bind or the unbound format? That way dnssec
> applications could rely on the debian system to update/obtain the key.
The problem with this idea is that files installed by Debian packages must be
unique in order to avoid file conflicts between packages. One way around this
issue is via 'alternatives'. [1]
However since all DNS servers are generally meant to use port 53, I think it's
unlikely to install more than one DNS server locally, so I'm not sure if doing
this makes sense from a packaging perspective. [I can see how it does from an
administration perspective.]
[1] http://www.debian.org/doc/debian-policy/ap-pkg-alternatives.html
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
GPG Key: 4096R/0x1E759A726A9FDD74
Reply to: