On 2022-04-28 13:02, Michael Tokarev wrote:
Control: tag -1 + moreinfo
So, will adding a Recommends: dns-root-data either to libunbound
or to various software packages (eg unbound-host) fix this?
dns-root-data doesn't put the key where unbound-host expects it though:
# unbound-host -D google.com
[1651242475] libunbound[100:0] error: error opening file
/var/lib/unbound/root.key: No such file or directory
[1651242475] libunbound[100:0] error: error reading trust-anchor-file:
/var/lib/unbound/root.key
[1651242475] libunbound[100:0] error: validator: error in trustanchors
config
[1651242475] libunbound[100:0] error: validator: could not apply
configuration settings.
[1651242475] libunbound[100:0] error: module init for module validator
failed
resolve error: initialization failure
Since unbound-host only reads the root.key, maybe it could be told to
fallback to reading it from /usr/share/dns/root.key.
I'm suggesting to doing it as fallback only because that file isn't
subject to RFC 5011 maintenance, only package updates will bring fresh
KSK. I suspect that for some environments the distinction could matter.
Simon
