[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)

W.C.A. Wijngaards wouter at NLnetLabs.nl
Thu Dec 16 08:25:52 UTC 2010

Hash: SHA1

Hi Paul,

On 12/15/2010 10:03 PM, Paul Wouters wrote:
> On Wed, 15 Dec 2010, Paul Wouters wrote:
>>> use the local resolver
>>> dont trust the local resolver
>>> do the validation yourself
>> If you do validation yourself, I guess you also have to cache yourself?
> Additionally, you have to figure out where to put the trust anchors. If you
> can't trust the local resolver to validate, you can't trust it for its
> trust anchors either. Would openswan need an option to load trust anchors?

The trust anchor can be stored in /etc/root.anchor or /etc/root.key or a
similar name (check compat with bind installs).  At system boot time you
can run unbound-anchor to make this file a valid root trust anchor.
Then you can load it in unbound, or in a libunbound instance (with
auto-trust-anchor-file: /etc/unbound.root.anchor option).

This way you can distribute keys to all apps.  But note that if your
machine is up for a long time, the key may go stale.  You would need a
cron-job with unbound-anchor or running the unbound daemon to keep the
key up-to-date.   (cron every week or so).

> Not sure I like the way this is going :P

> Would implementing either be very different? Can we do libunbound first and
> stubunbound later? Wouter? 

So, libunbound resolves exactly like libunbound.  You can use both (have
libunbound forward towards and validate itself).  libunbound
does what Miek says: it always gives you an answer, but sets the 'bogus'
flag if it is bogus. (and 'secure' if it is secure).  If it is bogus you
get a string with text what happened.

Best regards,
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the ldns-users mailing list