Despite my best efforts searching, I can’t seem to find the correct way to deal with DNSSEC trust anchors cross-platform. I would like to enable DNSSEC validation for various DNS-based functions in a program that uses libunbound (C++), but maintaining trust anchors within the git repo is untenable (as some users don’t compile from source). Note: the program uses libunbound for DNS queries, not as a server.
Can anyone point me in the right direction for where various OS keep DNSSEC anchors, or if they include them? Currently we build for Win (XP+), OSX, Linux, and FreeBSD.
Thanks in advance if anyone is able to help.
Are you referring to the root key and the dlv key? Or are you referring
to your own customer KSK keys?
fedora/rhel and I believe debian/ubuntu, put the root key in
/var/lib/unbound/root.anchor maintained by unbound-anchor.
On fedora/rhel, we put the dlv key at /etc/unbound/dlv.isc.org.key
custom KSKs on fedora/rhel go into /etc/unbound/keys.d
That said, libreswan for example uses libunbound, and it actually
includes its own copy of the root KSK. I wish we could get to a
universal key directory, like /etc/dnssec/keys.d or something,
using a single (bind) format for the key, but I think I will
have a pony first.
Paul
Thanks for the quick reply!
So for unbound installed in a default config on a Linux box, that seems reasonable. But that doesn’t help with Windows, and requires unbound installed (rather than just e.g. libunbound-dev on *buntu). I’m hoping to find a solution that will be very cross-platform friendly and not require an extra dependency, but I can sacrifice the latter in the interest of the former if necessary.