Thanks for the quick reply! So for unbound installed in a default config on a Linux box, that seems reasonable. But that doesn't help with Windows, and requires unbound installed (rather than just e.g. libunbound-dev on *buntu). I'm hoping to find a solution that will be very cross-platform friendly and not require an extra dependency, but I can sacrifice the latter in the interest of the former if necessary.
On Mon, Sep 29, 2014 at 8:09 PM, Paul Wouters <[email protected]> wrote: > On Mon, 29 Sep 2014, Thomas Winget wrote: > > Despite my best efforts searching, I can't seem to find the correct way >> to deal with DNSSEC trust anchors cross-platform. I would >> like to enable DNSSEC validation for various DNS-based functions in a >> program that uses libunbound (C++), but maintaining trust >> anchors within the git repo is untenable (as some users don't compile >> from source). Note: the program uses libunbound for DNS >> queries, not as a server. >> Can anyone point me in the right direction for where various OS keep >> DNSSEC anchors, or if they include them? Currently we build for >> Win (XP+), OSX, Linux, and FreeBSD. >> > > Are you referring to the root key and the dlv key? Or are you referring > to your own customer KSK keys? > > fedora/rhel and I believe debian/ubuntu, put the root key in > /var/lib/unbound/root.anchor maintained by unbound-anchor. > > On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key > > custom KSKs on fedora/rhel go into /etc/unbound/keys.d > > That said, libreswan for example uses libunbound, and it actually > includes its own copy of the root KSK. I wish we could get to a > universal key directory, like /etc/dnssec/keys.d or something, > using a single (bind) format for the key, but I think I will > have a pony first. > > Paul > -- Thomas Winget Computer Engineering Purdue University '12
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
