Hi dkg, I think Debian will need this patch for pluto to read /usr/share/dns/root.key file. Libreswan default location is a root.key file on Fedora 2x, /var/lib/unbound/root.key
I can also imagine Debian has a different file with the latest root key(s), generated; such as root.anchor file? However, be careful using a root.anchor instead of root.key which comes from the package dns-root-data. If the root.anchor is not get generated for some reason say no network or no access to "." zone pluto may fail. I am not sure how root.anchor is generated. As far as I see, unbound-anchor does not come with root.key on Debian. https://packages.debian.org/sid/amd64/unbound-anchor/filelist dns-root-data seems to come with root.key file. https://packages.debian.org/stretch/all/dns-root-data/filelist Some weird dsl modem/routers may block queries "." zone when they try to do more dns magic. Thanks for testing 3.21rcX on debain. regards, -antony
>From fdf94f2756d3b3844b8d6fe62286c941d705e59f Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Sat, 24 Jun 2017 00:21:12 +0200 Subject: [PATCH] add dns-root-data dependency and use root.key from it set Debian location for root.key file when compiling DEFAULT_DNSSEC_ROOTKEY_FILE=/usr/share/dns/root.key Signed-off-by: Antony Antony <[email protected]> --- debian/control | 1 + debian/rules | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 4ccc0a590..f7fc6bdb7 100644 --- a/debian/control +++ b/debian/control @@ -40,6 +40,7 @@ Pre-Depends: debconf | debconf-2.0, Depends: bsdmainutils, + dns-root-data, host, iproute2 | iproute (>= 20071016), libnspr4, diff --git a/debian/rules b/debian/rules index 54c6baa0a..541801dc6 100755 --- a/debian/rules +++ b/debian/rules @@ -33,7 +33,8 @@ override_dh_auto_build: $(ENABLE_LIBCAP_NG) \ $(ENABLE_SELINUX) \ USE_KLIPS=false \ - USE_DNSSEC=true + USE_DNSSEC=true \ + DEFAULT_DNSSEC_ROOTKEY_FILE=/usr/share/dns/root.key override_dh_auto_install-arch: # Add here commands to install the package into debian/libreswan -- 2.11.0
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
