Discussion:
[Unbound-users] DNSSEC trust anchors
Thomas Winget
2014-09-29 23:16:11 UTC
Permalink
Despite my best efforts searching, I can't seem to find the correct way to
deal with DNSSEC trust anchors cross-platform. I would like to enable
DNSSEC validation for various DNS-based functions in a program that uses
libunbound (C++), but maintaining trust anchors within the git repo is
untenable (as some users don't compile from source). Note: the program
uses libunbound for DNS queries, not as a server.

Can anyone point me in the right direction for where various OS keep DNSSEC
anchors, or if they include them? Currently we build for Win (XP+), OSX,
Linux, and FreeBSD.

Thanks in advance if anyone is able to help.
--
Thomas Winget
Paul Wouters
2014-09-30 00:09:09 UTC
Permalink
Despite my best efforts searching, I can't seem to find the correct way to deal with DNSSEC trust anchors cross-platform.  I would
like to enable DNSSEC validation for various DNS-based functions in a program that uses libunbound (C++), but maintaining trust
anchors within the git repo is untenable (as some users don't compile from source).  Note: the program uses libunbound for DNS
queries, not as a server.
Can anyone point me in the right direction for where various OS keep DNSSEC anchors, or if they include them?  Currently we build for
Win (XP+), OSX, Linux, and FreeBSD.
Are you referring to the root key and the dlv key? Or are you referring
to your own customer KSK keys?

fedora/rhel and I believe debian/ubuntu, put the root key in
/var/lib/unbound/root.anchor maintained by unbound-anchor.

On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key

custom KSKs on fedora/rhel go into /etc/unbound/keys.d

That said, libreswan for example uses libunbound, and it actually
includes its own copy of the root KSK. I wish we could get to a
universal key directory, like /etc/dnssec/keys.d or something,
using a single (bind) format for the key, but I think I will
have a pony first.

Paul
Thomas Winget
2014-09-30 00:22:24 UTC
Permalink
Thanks for the quick reply!

So for unbound installed in a default config on a Linux box, that seems
reasonable. But that doesn't help with Windows, and requires unbound
installed (rather than just e.g. libunbound-dev on *buntu). I'm hoping to
find a solution that will be very cross-platform friendly and not require
an extra dependency, but I can sacrifice the latter in the interest of the
former if necessary.
Post by Thomas Winget
Despite my best efforts searching, I can't seem to find the correct way
to deal with DNSSEC trust anchors cross-platform. I would
like to enable DNSSEC validation for various DNS-based functions in a
program that uses libunbound (C++), but maintaining trust
anchors within the git repo is untenable (as some users don't compile
from source). Note: the program uses libunbound for DNS
queries, not as a server.
Can anyone point me in the right direction for where various OS keep
DNSSEC anchors, or if they include them? Currently we build for
Win (XP+), OSX, Linux, and FreeBSD.
Are you referring to the root key and the dlv key? Or are you referring
to your own customer KSK keys?
fedora/rhel and I believe debian/ubuntu, put the root key in
/var/lib/unbound/root.anchor maintained by unbound-anchor.
On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key
custom KSKs on fedora/rhel go into /etc/unbound/keys.d
That said, libreswan for example uses libunbound, and it actually
includes its own copy of the root KSK. I wish we could get to a
universal key directory, like /etc/dnssec/keys.d or something,
using a single (bind) format for the key, but I think I will
have a pony first.
Paul
--
Thomas Winget
Computer Engineering
Purdue University '12
Loading...