[ldns-users] DNSSEC (was Re: function call backs in ldns_resolver_send*?)
wouter at NLnetLabs.nl
Thu Dec 16 08:25:52 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 12/15/2010 10:03 PM, Paul Wouters wrote:
> On Wed, 15 Dec 2010, Paul Wouters wrote:
>>> use the local resolver
>>> dont trust the local resolver
>>> do the validation yourself
>> If you do validation yourself, I guess you also have to cache yourself?
> Additionally, you have to figure out where to put the trust anchors. If you
> can't trust the local resolver to validate, you can't trust it for its
> trust anchors either. Would openswan need an option to load trust anchors?
The trust anchor can be stored in /etc/root.anchor or /etc/root.key or a
similar name (check compat with bind installs). At system boot time you
can run unbound-anchor to make this file a valid root trust anchor.
Then you can load it in unbound, or in a libunbound instance (with
auto-trust-anchor-file: /etc/unbound.root.anchor option).
This way you can distribute keys to all apps. But note that if your
machine is up for a long time, the key may go stale. You would need a
cron-job with unbound-anchor or running the unbound daemon to keep the
key up-to-date. (cron every week or so).
> Not sure I like the way this is going :P
> Would implementing either be very different? Can we do libunbound first and
> stubunbound later? Wouter?
So, libunbound resolves exactly like libunbound. You can use both (have
libunbound forward towards 127.0.0.1 and validate itself). libunbound
does what Miek says: it always gives you an answer, but sets the 'bogus'
flag if it is bogus. (and 'secure' if it is secure). If it is bogus you
get a string with text what happened.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the ldns-users