[ldns-users] Proposed new api to load build-time configured trust anchors

Scott Shambarger scott-nlnetlabs at shambarger.net
Sat Aug 20 17:15:00 UTC 2016

I've been trying to get openssh to locally validate SSHFP records on 

The problem stems from the fact that OSX's configd rewrites 
/etc/resolv.conf each time the network changes (think connecting to a 
coffee shop's wifi).  Openssh (configured with ldns) connections will 
then query the SSHFP record, but as the trust anchors are not referenced 
in resolv.conf, it is unable to perform DNSSEC validation.

Openssh maintainers don't feel that trust-anchor loading is in their 
scope of responsibility, and feel the ldns interface should work "out of 
the box" (see Comment#1 at 

I submitted a patch to add a new api to libldns to load keys from 
build-time defined locations (by default $sysconfdir/trusted-key.key and 
$sysconfdir/unbound/root.key), in 
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=727 -- however, 
there hasn't been any feedback on the proposal for 8 months...

I added a new api as drill (and possibly other users) may want to load 
their own trust anchors and not have any loaded by default; however 
users such as openssh do want validation to work without adding their 
own anchor files.

The root of the problem is still OSX, as other platforms can just add 
the "anchor" key to /etc/resolv.conf (but edits are wiped repeatedly on 

I'd love to hear if anyone has a better solution though :)


More information about the ldns-users mailing list