Speaker
Paul Hoffman
(ICANN)
Description
Validating resolvers need a way to get the DNSSEC root trust anchors. Today, most use one of the tools built into the popular resolvers, such as unbound-anchor. Some systems want to get and validate the trust anchors independently of any existing resolver software.
We have created a system that only requires Python 2.7 or 3.x with no additional modules, plus any recent OpenSSL command line binary, that downloads the trust anchor set, validates the download, extracts the trust anchors, and compares them against the trust anchors in the root zone. (OpenSSL is used only for validating the contents of the trust anchor file using the ICANN CA.) A primary goal of the program is to allow use in systems where the operator can't reliably install Python modules; a secondary goal is to act as readable pseudocode for developers who want to create similar functionality in different languages.
This talk also briefly covers other tools for getting and validating DNSSEC root trust anchors.
| Talk duration | 15 Minutes |
|---|
Primary author
Paul Hoffman
(ICANN)
Co-author
Jakob Schylter
(Kirei)
