On 2019-01-20 3:59 p.m., Ondřej Surý wrote: > That seems overly complicated for a little gain. dns-root-data has > the current root key and keeps it up-to-date for all DNS related > packages.
Boiler plate aside, it essentially turns unbound-anchor into a daily job that keeps the root.key current (seeding it from dns-root-data if applicable). I couldn't find a simpler way to implement RFC 5011 for those not running the full fledged unbound daemon. Considering that libs and tools expect the root.key to be under /var/lib/unbound and unbound itself wants to write to that file for RFC 5011, I can't think of a simpler way to rely only on dns-root-data [*]. IIRC, unbound is installed by default in Fedora so the concept received some testing already but I agree it's a little complex. I'm definitely open to implement a different solution if you have an idea in mind. Regards, Simon *: updates to dns-root-data can take time to propagate to downstream distros so unbound-anchor could provide an elegant failsafe solution
