Full DNSSEC support
Goal Description
- Enable DNSSEC support in validating resolvers
- Prime validating resolvers with DNSSEC keys
- Provide way how to update DNSSEC trust anchors.
Current Status
- In Debian, there are two DNSSEC aware resolvers:
- Bind9
- Unbound
- Trust anchors:
IANA ITAR
- Update trust anchors
Related packages
Other Issues
- Does Debian need its own TAR? (Probably.)
- How to update trust anchors in old_stable, so the validation doesn't break?
- Trust anchors are probably material for volatile? (It will improve with Root getting signed.)
Do we support DLV? (Rather not by default.)
Other Distributions
Fedora has nice project page about DNSSEC. Almost everything there applies to Debian as well.