Full DNSSEC support

Goal Description

• Enable DNSSEC support in validating resolvers
• Prime validating resolvers with DNSSEC keys
• Provide way how to update DNSSEC trust anchors.

Current Status

• In Debian, there are two DNSSEC aware resolvers:
  • Bind9
  • Unbound
• Trust anchors:

  • IANA ITAR

  • Root zone signing

• Update trust anchors

  • autotrust

  • ITAR has script for downloading and priming validating resolvers.

Related packages

• ldns

• autotrust

• unbound

• bind9

• nsd3

• ITP: dnssec-conf

Other Issues

• Does Debian need its own TAR? (Probably.)
• How to update trust anchors in old_stable, so the validation doesn't break?
• Trust anchors are probably material for volatile? (It will improve with Root getting signed.)

• Do we support DLV? (Rather not by default.)

Other Distributions

Fedora has nice project page about DNSSEC. Almost everything there applies to Debian as well.