Hi all, Thank you Manu. On 28/03/2019 15:39, manu tman wrote:
Hi all,
During the BoF session this morning, it was asked how long it would take vendors to incorporate the new KSK in their software. The few that spoke said it was a relatively short time. This is fine for people that get the latest versions and install it, but involves more communication between multiple parties when the goal is to update the keys and does not involve binary change.
Indeed, this is correct. We do have contact persons with the well known Linux and *BSD distributions, and there are procedures to get the new DNSSEC key incorporated in stable distributions. For us it takes a relative small effort and a short time, but puts some burden at the packagers and distributions to update the software in their repos.
One approach I would suggest is to rather work with DNS vendors to make sure they can all read the keys from a given format(s) (which I am sure is already the case) and then work with distros to make sure that all the DNS software they ship uses the same file. This file can then be distributed via a `trust-anchor` package à la `ca-certificates` for RedHat and Debian based distros. There is obviously an existing process for that, so I am hopeful it could be replicated for getting trust anchors from IANA. Automation on the distro side to pick up new trust anchors also seem rather trivial. I would love to hear from people closer to the distros realm if this is not, but it seems something that could be quite easily addressed and would be sustainable long term.
The update will apply uniformly to all DNS softwares shipped by the distros, there is no need to rebuild/recompile anything which involves DNS softwares, the package is pretty trivial to update and assuming 4 major OSS DNS softwares, overhead drops by 3/4, or even close to 0 if some form of automation is put in place.
I would support such an approach to update/distribute trust-anchors with distributions. Debian already has a package 'dns-root-data' that includes the TA (amongst other things) and installs the files in /usr/share/dns/ (credits to Ondrej, Robert and dkg). Speaking for Unbound, it is not using this package right now in Debian---its default config is with unbound-anchor and TA in software as fallback---but can be configured & packaged to make use of a system-wide installed TA. --Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/