Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   where is the DNSSEC root key? (http://www.linux-archive.org/debian-development/709554-where-dnssec-root-key.html)

Nikos Mavrogiannopoulos 10-04-2012 10:42 AM

where is the DNSSEC root key?
 
Hello,
I've started working with DNSSEC and I noticed a quite important
issue. The DNSSEC libraries ask for the root key, but where this file
is located is system specific (meaning no fixed location). Where is
this key located in debian (let's forget the multiple possible
formats)? The dnssec wiki in [0] mentions that the package bind9
contains the key. However this key may be required even without bind9.

My request is, whether there can be a fixed file location similar to
/etc/ssl/certs/ca-certificates.crt that will contain the DNSSEC root
key either in the bind or the unbound format? That way dnssec
applications could rely on the debian system to update/obtain the key.

[0]. http://wiki.debian.org/DNSSEC

regards,
Nikos


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAJU7zaKuy9Wz5i0QtWed0noPnJuZx+yK6wWSFX7pywKdSq4zK A@mail.gmail.com">http://lists.debian.org/CAJU7zaKuy9Wz5i0QtWed0noPnJuZx+yK6wWSFX7pywKdSq4zK A@mail.gmail.com

Chris Knadle 10-04-2012 07:10 PM

where is the DNSSEC root key?
 
On Thursday, October 04, 2012 06:42:08, Nikos Mavrogiannopoulos wrote:
> Hello,
> I've started working with DNSSEC and I noticed a quite important
> issue. The DNSSEC libraries ask for the root key, but where this file
> is located is system specific (meaning no fixed location). Where is
> this key located in debian (let's forget the multiple possible
> formats)? The dnssec wiki in [0] mentions that the package bind9
> contains the key. However this key may be required even without bind9.

Last I looked into this [which has admittedly been a while], Bind 9 was the
only DNS server that had actually implemented DNSSEC, and the others I looked
at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to
be implementing it.

> My request is, whether there can be a fixed file location similar to
> /etc/ssl/certs/ca-certificates.crt that will contain the DNSSEC root
> key either in the bind or the unbound format? That way dnssec
> applications could rely on the debian system to update/obtain the key.

The problem with this idea is that files installed by Debian packages must be
unique in order to avoid file conflicts between packages. One way around this
issue is via 'alternatives'. [1]

However since all DNS servers are generally meant to use port 53, I think it's
unlikely to install more than one DNS server locally, so I'm not sure if doing
this makes sense from a packaging perspective. [I can see how it does from an
administration perspective.]

[1] http://www.debian.org/doc/debian-policy/ap-pkg-alternatives.html

-- Chris

--
Chris Knadle
Chris.Knadle@coredump.us
GPG Key: 4096R/0x1E759A726A9FDD74


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201210041510.02083.Chris.Knadle@coredump.us">http://lists.debian.org/201210041510.02083.Chris.Knadle@coredump.us

Bernd Zeimetz 10-04-2012 07:31 PM

where is the DNSSEC root key?
 
On 10/04/2012 09:10 PM, Chris Knadle wrote:

> Last I looked into this [which has admittedly been a while], Bind 9 was the
> only DNS server that had actually implemented DNSSEC, and the others I looked
> at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to
> be implementing it.

The powerguys have an implementation, although what I've heard so far it still
has some issues...

--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 506DE407.5080405@bzed.de">http://lists.debian.org/506DE407.5080405@bzed.de

Philipp Kern 10-04-2012 08:44 PM

where is the DNSSEC root key?
 
On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:
> Last I looked into this [which has admittedly been a while], Bind 9 was the
> only DNS server that had actually implemented DNSSEC, and the others I looked
> at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were /not/ going to
> be implementing it.

Obviously there are also recursive resolver implementations, like unbound. To
the client they look like DNS servers, too. (And you really want to use one of
them on your local machine to do the DNSSEC validation.)

Generally plain servers do not care about the key, it's just the recursive
resolvers that need it.

> The problem with this idea is that files installed by Debian packages must be
> unique in order to avoid file conflicts between packages. One way around this
> issue is via 'alternatives'. [1]

Alternatives don't make sense. A dedicated packages might make some.

Kind regards
Philipp Kern


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20121004204410.GA15828@hub.kern.lc">http://lists.debian.org/20121004204410.GA15828@hub.kern.lc

Ivan Shmakov 10-05-2012 04:49 AM

where is the DNSSEC root key?
 
>>>>> Philipp Kern <pkern@debian.org> writes:
>>>>> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:

>> Last I looked into this [which has admittedly been a while], Bind 9
>> was the only DNS server that had actually implemented DNSSEC, and
>> the others I looked at (PowerDNS, djbdns, tinydns) had stated (IIRC)
>> that they were /not/ going to be implementing it.

> Obviously there are also recursive resolver implementations, like
> unbound. To the client they look like DNS servers, too. (And you
> really want to use one of them on your local machine to do the DNSSEC
> validation.)

> Generally plain servers do not care about the key, it's just the
> recursive resolvers that need it.

To note is that dig(1) (of dnsutils) implements such a resolver
(while not being a DNS server.) With +sigchase and
+trusted-key=, it's perfectly capable of DNSSEC validation.

>> The problem with this idea is that files installed by Debian
>> packages must be unique in order to avoid file conflicts between
>> packages. One way around this issue is via 'alternatives'.

> Alternatives don't make sense. A dedicated packages might make some.

Yes.

Such a package should also include the ISC DNSSEC Look-aside
Validation [1] trusted key, BTW.

[1] https://dlv.isc.org/

--
FSF associate member #7257


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 86pq4xldzz.fsf@gray.siamics.net">http://lists.debian.org/86pq4xldzz.fsf@gray.siamics.net

Chris Knadle 10-05-2012 07:16 AM

where is the DNSSEC root key?
 
On Thursday, October 04, 2012 10:44:10 PM Philipp Kern wrote:
> On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote:
> > Last I looked into this [which has admittedly been a while], Bind 9 was
> > the
> > only DNS server that had actually implemented DNSSEC, and the others I
> > looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were
> > /not/ going to be implementing it.
>
> Obviously there are also recursive resolver implementations, like unbound.
> To the client they look like DNS servers, too. (And you really want to use
> one of them on your local machine to do the DNSSEC validation.)

Obviously I forgot about that case; thanks for pointing this out.
[Likewise I hadn't considered the possiblity of 'dig' being able to do this
either.]

> Generally plain servers do not care about the key, it's just the recursive
> resolvers that need it.

That makes sense; the reason I missed the other cases is that I'm used to
Bind9, where the recursive resolver /is/ the DNS server. [Which itself is an
issue.]

> > The problem with this idea is that files installed by Debian packages must
> > be unique in order to avoid file conflicts between packages. One way
> > around this issue is via 'alternatives'. [1]
>
> Alternatives don't make sense. A dedicated packages might make some.

Yes I thought about the dedicated package case first, but then realized that
this would introduce a Depends/Suggests/Recommends on that package to the
other DNS server packages that are DNSSEC capable. However being that there's
clearly a wider use case for the DNSSEC root key, I see what you mean and I
agree.

Thanks.

--

-- Chris

Chris Knadle
Chris.Knadle@coredump.us


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/6885195.3YkuVxqPbt@trelane

Peter Samuelson 10-05-2012 04:23 PM

where is the DNSSEC root key?
 
[Chris Knadle]
> However since all DNS servers are generally meant to use port 53, I
> think it's unlikely to install more than one DNS server locally, so
> I'm not sure if doing this makes sense from a packaging perspective.
> [I can see how it does from an administration perspective.]

It's actually not uncommon to run, e.g., rbldnsd on a nonstandard port,
and a full nameserver on port 53, which forwards queries to it. Now
that's not directly related, as rbldnsd will never need to know the
DNSSEC root keys ... but I'm just saying. It is quite possible that
somebody will want to run a recursive nameserver and an authoritative
nameserver, different packages, on the same host. I wouldn't bother
with that, mind you.

Peter


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20121005162324.GB4151@p12n.org">http://lists.debian.org/20121005162324.GB4151@p12n.org

James Cloos 10-08-2012 10:45 PM

where is the DNSSEC root key?
 
When unbound is installed, the root key is at /var/lib/unbound/root.key.

The init script updates it, if requsted, by way of unbound-anchor(8).

Ideally there would be a separate package each dnssec-aware package
could depend on which would maintain the root.key file.

For comparison, gentoo has a net-dns/dnssec-root package which
installs /etc/dnssec/root-anchors.txt and .xml. That would be
a good precedent to follow.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: m3obkczipi.fsf@carbon.jhcloos.org">http://lists.debian.org/m3obkczipi.fsf@carbon.jhcloos.org

Peter Palfrader 10-10-2012 12:50 AM

where is the DNSSEC root key?
 
On Fri, 05 Oct 2012, Peter Samuelson wrote:

> > However since all DNS servers are generally meant to use port 53, I
> > think it's unlikely to install more than one DNS server locally, so
> > I'm not sure if doing this makes sense from a packaging perspective.
> > [I can see how it does from an administration perspective.]
>
> It's actually not uncommon to run, e.g., rbldnsd on a nonstandard port,
> and a full nameserver on port 53, which forwards queries to it. Now
> that's not directly related, as rbldnsd will never need to know the
> DNSSEC root keys ... but I'm just saying. It is quite possible that
> somebody will want to run a recursive nameserver and an authoritative
> nameserver, different packages, on the same host. I wouldn't bother
> with that, mind you.

Well, for instance the .debian.org authoritative nameservers we run all
also have a local unbound installed as their local recursor.

unbound binds to localhost:53, bind9 to all the other addresses of a
host.

I don't think it's all that strange a setup.

Cheers,
weasel
--
| .'`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20121010005033.GK1312@anguilla.noreply.org">http://lists.debian.org/20121010005033.GK1312@anguilla.noreply.org


All times are GMT. The time now is 07:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.