[ksk-rollover] new ksk and DNS software vendors

Benno Overeinder benno at NLnetLabs.nl
Thu Mar 28 15:19:28 UTC 2019

Hi all,

Thank you Manu.

On 28/03/2019 15:39, manu tman wrote:
> Hi all,
> During the BoF session this morning, it was asked how long it would take
> vendors to incorporate the new KSK in their software.
> The few that spoke said it was a relatively short time. This is fine for
> people that get the latest versions and install it, but involves more
> communication between multiple parties when the goal is to update the
> keys and does not involve binary change.

Indeed, this is correct.  We do have contact persons with the well known
Linux and *BSD distributions, and there are procedures to get the new
DNSSEC key incorporated in stable distributions.  For us it takes a
relative small effort and a short time, but puts some burden at the
packagers and distributions to update the software in their repos.

> One approach I would suggest is to rather work with DNS vendors to make
> sure they can all read the keys from a given format(s) (which I am sure
> is already the case) and then work with distros to make sure that all
> the DNS software they ship uses the same file.
> This file can then be distributed via a `trust-anchor` package à la
> `ca-certificates` for RedHat and Debian based distros. There is
> obviously an existing process for that, so I am hopeful it could be
> replicated for getting trust anchors from IANA. Automation on the distro
> side to pick up new trust anchors also seem rather trivial. I would love
> to hear from people closer to the distros realm if this is not, but it
> seems something that could be quite easily addressed and would be
> sustainable long term.
> The update will apply uniformly to all DNS softwares shipped by the
> distros, there is no need to rebuild/recompile anything which involves
> DNS softwares, the package is pretty trivial to update and assuming 4
> major OSS DNS softwares, overhead drops by 3/4, or even close to 0 if
> some form of automation is put in place.

I would support such an approach to update/distribute trust-anchors with
distributions.  Debian already has a package 'dns-root-data' that
includes the TA (amongst other things) and installs the files in
/usr/share/dns/ (credits to Ondrej, Robert and dkg).

Speaking for Unbound, it is not using this package right now in
Debian---its default config is with unbound-anchor and TA in software as
fallback---but can be configured & packaged to make use of a system-wide
installed TA.


Benno J. Overeinder
NLnet Labs

More information about the ksk-rollover mailing list