Your message dated Fri, 29 Apr 2022 16:53:34 +0300
with message-id <[email protected]>
and subject line Re: no root.key provided by libunbound2
has caused the Debian Bug report #900241,
regarding no root.key provided by libunbound2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
900241: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900241
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.7.1-1
TL;DR: applications using libunbound2 should have access to a fresh root.key
If one installs unbound-anchor or unbound-host or any other application
using libunbound2, they will be missing a fresh copy of the root.key for
DNSSEC validation. This is because /var/lib/unbound/root.key is managed
by a helper script provided by the unbound package only.
Ideally, installing libunbound2 should provide a root.key that is kept
up to date for root KSK rollovers.
A possible solution would be to have libunbound2 depend on
unbound-anchor and have the unbound-anchor package ship a cron job (or
systemd.timer unit) to periodically refresh the root.key file.
If the proposed solution makes sense to you, I'd be happy to work on the
implementation.
Regards,
Simon
P.S: This problem was initially reported to Ubuntu
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1771545
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Control: tag -1 - moreinfo
On Thu, 28 Apr 2022 20:02:43 +0300 Michael Tokarev <[email protected]> wrote:
I don't think adding this to libunbound is a good idea since software
using it isn't necessary being used the root key, but adding it to
the binary packages which actually uses that data seems reasonable.
libunbound itself does not use DNS root.key. An application using libunbound
(such as unbound-host) might use this file to provide it to libunbound. So
it is the users of libunbound who should depend on dns-root-data-provided
/usr/share/dns/root.key, not libunbound itself. At least as long as it does
not have functions to retrieve "default" root.key.
Closing this bugreport now.
Thanks,
/mjt
--- End Message ---
