Ondřej Surý wrote: > Package: wnpp > Severity: wishlist > Owner: "Ondřej Surý" <ond...@debian.org> > > * Package name : dnssec-root-key
Hm, I would maybe call this dnssec-root-anchors. Technically there should be very few copies of the root key :-) Similarly, s/key/trust anchors/g in the descriptions? > Version : 20100715 > Upstream Author : ICANN/IANA > * URL : http://data.iana.org/root-anchors/ > * License : Public Data (same as with root.zone) It might be nice to include a copy of this document in /usr/share/doc: http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt Since it looks like this is the only place where a schema is defined for the root-anchors.xml file. But I guess we would need a better (non-)license than this: Copyright (c) 2010 Internet Corporation For Assigned Names and Numbers. > Programming Lang: None > Description : This package contains DNSSEC root key > > This package contains DNSSEC root key in all available > formats that all packages doing DNSSEC validation can > use as a common data source. > . > unbound-anchor is used to keep the root.key up-to-date > via RFC5011 mechanism. > > -- > > PERSONAL NOTE: I now maintain at least two packages that > need DNSSEC root.key (hash-slinger and getdns[1]). There > are at least bind9, unbound and dnsmasq that can use this > as well. > > > 1. Waiting for next upstream release with proper libtool > flags. So, I wonder if this package should be responsible for providing the root-anchors.xml file, and the bind9/unbound/dnsmasq/etc. packages should be responsible for converting that from XML to whatever format they use (and unfortunately it appears every different program uses a different trust anchor format). Or by "all available formats" do you mean that this source package should take the root-anchors.xml file and generate several common formats (at package build time?) and provide them in /usr/share alongside the original root-anchors files from iana.org, so that DNSSEC software packages don't need an XML dependency? (Though, bind9 and unbound-anchor already pull in XML parsing libraries, but e.g. dnsmasq currently does not.) Should we patch unbound-anchor so that its fallback mode (where it tries to fetch files from https://data.iana.org/root-anchors/) can be made to check file:///usr/share/dnssec-root-anchors/ first? (And if so, it'd be nice to upstream that.) Should we do anything about the built-in static content in unbound-anchor that would be duplicative of the content in this package? I'm talking about this: http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git;a=blob;f=smallapp/unbound-anchor.c;h=8ea4726b06313bf2f910d07f870d4e5350e25bce;hb=HEAD#l207 And this: http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git;a=blob;f=smallapp/unbound-anchor.c;h=8ea4726b06313bf2f910d07f870d4e5350e25bce;hb=HEAD#l237 And, finally, is it known that the root DNSSEC key will be rolled over with RFC 5011 semantics? Anyway, consider this email an offer to co-maintain :-) -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140626223252.ga2...@mycre.ws