Re: where is the DNSSEC root key?
On Fri, 05 Oct 2012, Peter Samuelson wrote: However since all DNS servers are generally meant to use port 53, I think it's unlikely to install more than one DNS server locally, so I'm not sure if doing this makes sense from a packaging perspective. [I can see how it does from an administration perspective.] It's actually not uncommon to run, e.g., rbldnsd on a nonstandard port, and a full nameserver on port 53, which forwards queries to it. Now that's not directly related, as rbldnsd will never need to know the DNSSEC root keys ... but I'm just saying. It is quite possible that somebody will want to run a recursive nameserver and an authoritative nameserver, different packages, on the same host. I wouldn't bother with that, mind you. Well, for instance the .debian.org authoritative nameservers we run all also have a local unbound installed as their local recursor. unbound binds to localhost:53, bind9 to all the other addresses of a host. I don't think it's all that strange a setup. Cheers, weasel -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010005033.gk1...@anguilla.noreply.org
Re: where is the DNSSEC root key?
When unbound is installed, the root key is at /var/lib/unbound/root.key. The init script updates it, if requsted, by way of unbound-anchor(8). Ideally there would be a separate package each dnssec-aware package could depend on which would maintain the root.key file. For comparison, gentoo has a net-dns/dnssec-root package which installs /etc/dnssec/root-anchors.txt and .xml. That would be a good precedent to follow. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/m3obkczipi@carbon.jhcloos.org
Re: where is the DNSSEC root key?
On Thursday, October 04, 2012 10:44:10 PM Philipp Kern wrote: On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote: Last I looked into this [which has admittedly been a while], Bind 9 was the only DNS server that had actually implemented DNSSEC, and the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to be implementing it. Obviously there are also recursive resolver implementations, like unbound. To the client they look like DNS servers, too. (And you really want to use one of them on your local machine to do the DNSSEC validation.) Obviously I forgot about that case; thanks for pointing this out. [Likewise I hadn't considered the possiblity of 'dig' being able to do this either.] Generally plain servers do not care about the key, it's just the recursive resolvers that need it. That makes sense; the reason I missed the other cases is that I'm used to Bind9, where the recursive resolver /is/ the DNS server. [Which itself is an issue.] The problem with this idea is that files installed by Debian packages must be unique in order to avoid file conflicts between packages. One way around this issue is via 'alternatives'. [1] Alternatives don't make sense. A dedicated packages might make some. Yes I thought about the dedicated package case first, but then realized that this would introduce a Depends/Suggests/Recommends on that package to the other DNS server packages that are DNSSEC capable. However being that there's clearly a wider use case for the DNSSEC root key, I see what you mean and I agree. Thanks. -- -- Chris Chris Knadle chris.kna...@coredump.us -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6885195.3YkuVxqPbt@trelane
Re: where is the DNSSEC root key?
[Chris Knadle] However since all DNS servers are generally meant to use port 53, I think it's unlikely to install more than one DNS server locally, so I'm not sure if doing this makes sense from a packaging perspective. [I can see how it does from an administration perspective.] It's actually not uncommon to run, e.g., rbldnsd on a nonstandard port, and a full nameserver on port 53, which forwards queries to it. Now that's not directly related, as rbldnsd will never need to know the DNSSEC root keys ... but I'm just saying. It is quite possible that somebody will want to run a recursive nameserver and an authoritative nameserver, different packages, on the same host. I wouldn't bother with that, mind you. Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121005162324.gb4...@p12n.org
Re: where is the DNSSEC root key?
On Thursday, October 04, 2012 06:42:08, Nikos Mavrogiannopoulos wrote: Hello, I've started working with DNSSEC and I noticed a quite important issue. The DNSSEC libraries ask for the root key, but where this file is located is system specific (meaning no fixed location). Where is this key located in debian (let's forget the multiple possible formats)? The dnssec wiki in [0] mentions that the package bind9 contains the key. However this key may be required even without bind9. Last I looked into this [which has admittedly been a while], Bind 9 was the only DNS server that had actually implemented DNSSEC, and the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to be implementing it. My request is, whether there can be a fixed file location similar to /etc/ssl/certs/ca-certificates.crt that will contain the DNSSEC root key either in the bind or the unbound format? That way dnssec applications could rely on the debian system to update/obtain the key. The problem with this idea is that files installed by Debian packages must be unique in order to avoid file conflicts between packages. One way around this issue is via 'alternatives'. [1] However since all DNS servers are generally meant to use port 53, I think it's unlikely to install more than one DNS server locally, so I'm not sure if doing this makes sense from a packaging perspective. [I can see how it does from an administration perspective.] [1] http://www.debian.org/doc/debian-policy/ap-pkg-alternatives.html -- Chris -- Chris Knadle chris.kna...@coredump.us GPG Key: 4096R/0x1E759A726A9FDD74 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201210041510.02083.chris.kna...@coredump.us
Re: where is the DNSSEC root key?
On 10/04/2012 09:10 PM, Chris Knadle wrote: Last I looked into this [which has admittedly been a while], Bind 9 was the only DNS server that had actually implemented DNSSEC, and the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to be implementing it. The powerguys have an implementation, although what I've heard so far it still has some issues... -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/506de407.5080...@bzed.de
Re: where is the DNSSEC root key?
On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote: Last I looked into this [which has admittedly been a while], Bind 9 was the only DNS server that had actually implemented DNSSEC, and the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to be implementing it. Obviously there are also recursive resolver implementations, like unbound. To the client they look like DNS servers, too. (And you really want to use one of them on your local machine to do the DNSSEC validation.) Generally plain servers do not care about the key, it's just the recursive resolvers that need it. The problem with this idea is that files installed by Debian packages must be unique in order to avoid file conflicts between packages. One way around this issue is via 'alternatives'. [1] Alternatives don't make sense. A dedicated packages might make some. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121004204410.ga15...@hub.kern.lc
Re: where is the DNSSEC root key?
Philipp Kern pk...@debian.org writes: On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote: Last I looked into this [which has admittedly been a while], Bind 9 was the only DNS server that had actually implemented DNSSEC, and the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to be implementing it. Obviously there are also recursive resolver implementations, like unbound. To the client they look like DNS servers, too. (And you really want to use one of them on your local machine to do the DNSSEC validation.) Generally plain servers do not care about the key, it's just the recursive resolvers that need it. To note is that dig(1) (of dnsutils) implements such a resolver (while not being a DNS server.) With +sigchase and +trusted-key=, it's perfectly capable of DNSSEC validation. The problem with this idea is that files installed by Debian packages must be unique in order to avoid file conflicts between packages. One way around this issue is via 'alternatives'. Alternatives don't make sense. A dedicated packages might make some. Yes. Such a package should also include the ISC DNSSEC Look-aside Validation [1] trusted key, BTW. [1] https://dlv.isc.org/ -- FSF associate member #7257 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/86pq4xldzz@gray.siamics.net