On Thursday, October 04, 2012 10:44:10 PM Philipp Kern wrote: > On Thu, Oct 04, 2012 at 03:10:01PM -0400, Chris Knadle wrote: > > Last I looked into this [which has admittedly been a while], Bind 9 was > > the > > only DNS server that had actually implemented DNSSEC, and the others I > > looked at (PowerDNS, djbdns, tinydns) had stated (IIRC) that they were > > /not/ going to be implementing it. > > Obviously there are also recursive resolver implementations, like unbound. > To the client they look like DNS servers, too. (And you really want to use > one of them on your local machine to do the DNSSEC validation.)
Obviously I forgot about that case; thanks for pointing this out. [Likewise I hadn't considered the possiblity of 'dig' being able to do this either.] > Generally plain servers do not care about the key, it's just the recursive > resolvers that need it. That makes sense; the reason I missed the other cases is that I'm used to Bind9, where the recursive resolver /is/ the DNS server. [Which itself is an issue.] > > The problem with this idea is that files installed by Debian packages must > > be unique in order to avoid file conflicts between packages. One way > > around this issue is via 'alternatives'. [1] > > Alternatives don't make sense. A dedicated packages might make some. Yes I thought about the dedicated package case first, but then realized that this would introduce a Depends/Suggests/Recommends on that package to the other DNS server packages that are DNSSEC capable. However being that there's clearly a wider use case for the DNSSEC root key, I see what you mean and I agree. Thanks. -- -- Chris Chris Knadle chris.kna...@coredump.us -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6885195.3YkuVxqPbt@trelane