[Unbound-users] DNSSEC trust anchors
tewinget at gmail.com
Tue Sep 30 00:22:24 UTC 2014
Thanks for the quick reply!
So for unbound installed in a default config on a Linux box, that seems
reasonable. But that doesn't help with Windows, and requires unbound
installed (rather than just e.g. libunbound-dev on *buntu). I'm hoping to
find a solution that will be very cross-platform friendly and not require
an extra dependency, but I can sacrifice the latter in the interest of the
former if necessary.
On Mon, Sep 29, 2014 at 8:09 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 29 Sep 2014, Thomas Winget wrote:
> Despite my best efforts searching, I can't seem to find the correct way
>> to deal with DNSSEC trust anchors cross-platform. I would
>> like to enable DNSSEC validation for various DNS-based functions in a
>> program that uses libunbound (C++), but maintaining trust
>> anchors within the git repo is untenable (as some users don't compile
>> from source). Note: the program uses libunbound for DNS
>> queries, not as a server.
>> Can anyone point me in the right direction for where various OS keep
>> DNSSEC anchors, or if they include them? Currently we build for
>> Win (XP+), OSX, Linux, and FreeBSD.
> Are you referring to the root key and the dlv key? Or are you referring
> to your own customer KSK keys?
> fedora/rhel and I believe debian/ubuntu, put the root key in
> /var/lib/unbound/root.anchor maintained by unbound-anchor.
> On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key
> custom KSKs on fedora/rhel go into /etc/unbound/keys.d
> That said, libreswan for example uses libunbound, and it actually
> includes its own copy of the root KSK. I wish we could get to a
> universal key directory, like /etc/dnssec/keys.d or something,
> using a single (bind) format for the key, but I think I will
> have a pony first.
Purdue University '12
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users