On 2018-05-31 08:30 AM, Alexander Traud wrote: > However, there might be another approach: The package "dns-root-data" > is not just in Universe but in Main and is one of the sources of that > root.key already. Perhaps it is easier to update the package > "dns-root-data" manually and then - simply symlink the root.keys > or/and - change libunbound2 to use that root.key on default directly > (set at compile time).
A symlink wouldn't do as unbound wants to write to that file to keep it current. > With such an approach, no script and no timer would be needed. > Nevertheless, I am not sure whether this approached is "allowed" > security vise because an (additional) individual has control about > the root.key – at least in Debian world, then. The package-helper script tries to use the dns-root-data provided root.key as initial seed if present. The idea behind dns-root-data was to have a single package to maintain and distribute a fresh root.key (and root NS hints) but newer versions were not backported to Ubuntu. Also, KSK rollovers utilize a mechanism (RFC5011) to securely introduce new keys and this might be faster than deploying updated versions of dns-root-data. Not everyone deploy updates swiftly so having the RFC5011 method would cover those users. IMHO, it would be best to use both methods: have unbound-anchor schedule updates and push fresh versions of dns-root-data to all supported releases. Regards, Simon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771545 Title: root.key might be missing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1771545/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
