Oct 15 – 16, 2016
The Fairmont Dallas
US/Central timezone

Tools for Securely Getting DNSSEC Root Trust Anchors

Oct 15, 2016, 4:30 PM
Gold (The Fairmont Dallas)


The Fairmont Dallas

1717 N Akard St Dallas, TX 75201 USA
Standard Presentation Public Workshop Public Workshop: DNSSEC


Paul Hoffman (ICANN)


Validating resolvers need a way to get the DNSSEC root trust anchors. Today, most use one of the tools built into the popular resolvers, such as unbound-anchor. Some systems want to get and validate the trust anchors independently of any existing resolver software. We have created a system that only requires Python 2.7 or 3.x with no additional modules, plus any recent OpenSSL command line binary, that downloads the trust anchor set, validates the download, extracts the trust anchors, and compares them against the trust anchors in the root zone. (OpenSSL is used only for validating the contents of the trust anchor file using the ICANN CA.) A primary goal of the program is to allow use in systems where the operator can't reliably install Python modules; a secondary goal is to act as readable pseudocode for developers who want to create similar functionality in different languages. This talk also briefly covers other tools for getting and validating DNSSEC root trust anchors.
Talk duration 15 Minutes

Primary author


Presentation materials