On May 9, 2022, at 12:03, Michael Tokarev via Unbound-users <[email protected]> wrote:
> In debian we decided to provide a separate package, dns-root-data, which > contains the root.key and root.hints, distributed using the usual way. > I dunno myself how reliable that will be in practice. For what it's worth, this is pretty much what we had in mind when I was at ICANN working on the team that deployed DNSSEC in the root zone. We imagined that software vendors might use their established code- and package-signing crypto infrastructure to distribute verifies copies of the root zone trust anchor, which is why the root key (amongst other formats) has been made available in the form of a CSR, as described in RFC 7958. The vendors we had in mind were those who maintained operating systems as well as DNS-specific software. We thought vendors might make arrangements with ICANN to establish processes to validate the authenticity of each new root anchor, sign the corresponding CSR and either distribute the resulting certificate themselves or ask ICANN to do it. None of this really happened as we thought, but Debian distributing a trust anchor that has been verified as accurate to the satisfaction of whoever maintains the package seems like pretty much the same thing. If you can trust environments to keep packages up to date, and you have a trustworthy package distribution system, this still seems like a good option to me, and likely still worth doing even if other mechanisms also exist, e.g. support for RFC 5011 in validating resolvers. Joe
