Comment 7 for bug 1771545
Revision history for this message
| Simon Déziel (sdeziel) wrote Re: [Bug 1771545] Re: root.key might be missing | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On 2018-05-31 08:30 AM, Alexander Traud wrote:
> However, there might be another approach: The package "dns-root-data"
> is not just in Universe but in Main and is one of the sources of that
> root.key already. Perhaps it is easier to update the package
> "dns-root-data" manually and then - simply symlink the root.keys
> or/and - change libunbound2 to use that root.key on default directly
> (set at compile time).
A symlink wouldn't do as unbound wants to write to that file to keep it
current.
> With such an approach, no script and no timer would be needed.
> Nevertheless, I am not sure whether this approached is "allowed"
> security vise because an (additional) individual has control about
> the root.key – at least in Debian world, then.
The package-helper script tries to use the dns-root-data
provided root.key as initial seed if present.
The idea behind dns-root-data was to have a single package to maintain
and distribute a fresh root.key (and root NS hints) but newer versions
were not backported to Ubuntu. Also, KSK rollovers utilize a mechanism
(RFC5011) to securely introduce new keys and this might be faster than
deploying updated versions of dns-root-data. Not everyone deploy updates
swiftly so having the RFC5011 method would cover those users.
IMHO, it would be best to use both methods: have unbound-anchor schedule
updates and push fresh versions of dns-root-data to all supported releases.
Regards,
Simon