Re: Bug#752745: ITP: dnssec-root-key -- This package contains DNSSEC root key
Ondřej Surý wrote:
> Package: wnpp
> Severity: wishlist
> Owner: "Ondřej Surý" <ondrej@debian.org>
>
> * Package name : dnssec-root-key
Hm, I would maybe call this dnssec-root-anchors. Technically there
should be very few copies of the root key :-)
Similarly, s/key/trust anchors/g in the descriptions?
> Version : 20100715
> Upstream Author : ICANN/IANA
> * URL : http://data.iana.org/root-anchors/
> * License : Public Data (same as with root.zone)
It might be nice to include a copy of this document in /usr/share/doc:
http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
Since it looks like this is the only place where a schema is defined for
the root-anchors.xml file.
But I guess we would need a better (non-)license than this:
Copyright (c) 2010 Internet Corporation For Assigned Names and
Numbers.
> Programming Lang: None
> Description : This package contains DNSSEC root key
>
> This package contains DNSSEC root key in all available
> formats that all packages doing DNSSEC validation can
> use as a common data source.
> .
> unbound-anchor is used to keep the root.key up-to-date
> via RFC5011 mechanism.
>
> --
>
> PERSONAL NOTE: I now maintain at least two packages that
> need DNSSEC root.key (hash-slinger and getdns[1]). There
> are at least bind9, unbound and dnsmasq that can use this
> as well.
>
>
> 1. Waiting for next upstream release with proper libtool
> flags.
So, I wonder if this package should be responsible for providing the
root-anchors.xml file, and the bind9/unbound/dnsmasq/etc. packages
should be responsible for converting that from XML to whatever format
they use (and unfortunately it appears every different program uses a
different trust anchor format).
Or by "all available formats" do you mean that this source package
should take the root-anchors.xml file and generate several common
formats (at package build time?) and provide them in /usr/share
alongside the original root-anchors files from iana.org, so that DNSSEC
software packages don't need an XML dependency? (Though, bind9 and
unbound-anchor already pull in XML parsing libraries, but e.g. dnsmasq
currently does not.)
Should we patch unbound-anchor so that its fallback mode (where it tries
to fetch files from https://data.iana.org/root-anchors/) can be made to
check file:///usr/share/dnssec-root-anchors/ first? (And if so, it'd be
nice to upstream that.)
Should we do anything about the built-in static content in
unbound-anchor that would be duplicative of the content in this package?
I'm talking about this:
http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git;a=blob;f=smallapp/unbound-anchor.c;h=8ea4726b06313bf2f910d07f870d4e5350e25bce;hb=HEAD#l207
And this:
http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git;a=blob;f=smallapp/unbound-anchor.c;h=8ea4726b06313bf2f910d07f870d4e5350e25bce;hb=HEAD#l237
And, finally, is it known that the root DNSSEC key will be rolled over
with RFC 5011 semantics?
Anyway, consider this email an offer to co-maintain :-)
--
Robert Edmonds
edmonds@debian.org
Reply to: