On Mon, 29 Sep 2014, Thomas Winget wrote:
Despite my best efforts searching, I can't seem to find the correct way to deal with DNSSEC trust anchors cross-platform. I would like to enable DNSSEC validation for various DNS-based functions in a program that uses libunbound (C++), but maintaining trust anchors within the git repo is untenable (as some users don't compile from source). Note: the program uses libunbound for DNS queries, not as a server. Can anyone point me in the right direction for where various OS keep DNSSEC anchors, or if they include them? Currently we build for Win (XP+), OSX, Linux, and FreeBSD.
Are you referring to the root key and the dlv key? Or are you referring to your own customer KSK keys? fedora/rhel and I believe debian/ubuntu, put the root key in /var/lib/unbound/root.anchor maintained by unbound-anchor. On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key custom KSKs on fedora/rhel go into /etc/unbound/keys.d That said, libreswan for example uses libunbound, and it actually includes its own copy of the root KSK. I wish we could get to a universal key directory, like /etc/dnssec/keys.d or something, using a single (bind) format for the key, but I think I will have a pony first. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
