Bug#752745: ITP: dnssec-root-key -- This package contains DNSSEC root key
Iain R. Learmonth wrote:
> unbound-anchor is already packaged in Debian. What does this package provide
> that the unbound-anchor doesn't?
The output of unbound-anchor is intended for use by the unbound daemon
only, more or less; what unbound calls an "autotrust anchor file". It
looks like this:
$ unbound-anchor -a /tmp/root.key
$ cat /tmp/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1403825702 ;;Thu Jun 26 19:35:02 2014
;;last_success: 1403825702 ;;Thu Jun 26 19:35:02 2014
;;next_probe_time: 1403866063 ;;Fri Jun 27 06:47:43 2014
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1403825702 ;;Thu Jun 26 19:35:02 2014
(Though, it tries to use "master zone file format" for the DNSKEY
record, and keep its state isolated to what would be considered comments
by a zone file parser.)
It uses embedded key material in the unbound-anchor source code to
produce this. This embedded key material could be provided by this new
package, instead.
BIND, on the other hand, expects something that looks like this:
managed-keys {
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
dnsmasq wants a third format:
# The root DNSSEC trust anchor, valid as at 30/01/2014
# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
So, the idea is that instead of each program capable of performing
DNSSEC validation having its own copy of the DNSSEC root trust anchor
(and handling key rollover, or not), that we centralize the key material
in a single package, rather than the upstream developers being
responsible for keeping the key updated. But then we need to figure out
how to get the key material into the format that the various programs
expect. (I haven't looked to see what format getdns and hash-slinger
expect.)
--
Robert Edmonds
edmonds@debian.org
Reply to: