[ldns-users] Proposed new api to load build-time configured trust anchors
scott-nlnetlabs at shambarger.net
Sat Aug 20 17:15:00 UTC 2016
I've been trying to get openssh to locally validate SSHFP records on
The problem stems from the fact that OSX's configd rewrites
/etc/resolv.conf each time the network changes (think connecting to a
coffee shop's wifi). Openssh (configured with ldns) connections will
then query the SSHFP record, but as the trust anchors are not referenced
in resolv.conf, it is unable to perform DNSSEC validation.
Openssh maintainers don't feel that trust-anchor loading is in their
scope of responsibility, and feel the ldns interface should work "out of
the box" (see Comment#1 at
I submitted a patch to add a new api to libldns to load keys from
build-time defined locations (by default $sysconfdir/trusted-key.key and
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=727 -- however,
there hasn't been any feedback on the proposal for 8 months...
I added a new api as drill (and possibly other users) may want to load
their own trust anchors and not have any loaded by default; however
users such as openssh do want validation to work without adding their
own anchor files.
The root of the problem is still OSX, as other platforms can just add
the "anchor" key to /etc/resolv.conf (but edits are wiped repeatedly on
I'd love to hear if anyone has a better solution though :)
More information about the ldns-users